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Abstract 

We demonstrate how to carry out cryptographic security analysis of distributed protocols within 
the Probabilistic I/O Automata framework of Lynch, Segala, and Vaandrager. This framework 
provides tools for arguing rigorously about the concurrency and scheduling aspects of protocols, 
and about protocols presented at different levels of abstraction. Consequently, it can help in making 
cryptographic analysis more precise and less susceptible to errors. 

We concentrate on a relatively simple two-party Oblivious Transfer protocol, in the presence 
of a semi-honest adversary (essentially, an eavesdropper). For the underlying cryptographic notion 
of security, we use a version of Canetti's Universally Composable security. In spite of the relative 
simplicity of the example, the exercise is quite nontrivial. It requires taking many fundamental issues 
into account, including nondeterministic behavior, scheduling, resource-bounded computation, and 
computational hardness assumptions for cryptographic primitives. 
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1 Introduction 

Modeling cryptographic protocols and analyzing their security is a tricky business. On the one hand, 
valid modeling and analysis has to address the concurrency aspects of asynchronous distributed systems, 
with potentially adversarial scheduling of events. On the other hand, realistic analysis has to accom- 
modate the fact that, in most interesting cases, it is impossible to completely prevent successful attacks 
against the protocol. Instead, we can only bound the success probability of attacks that use a bounded 
amount of computational resources. Even worse, given our current state of scientific knowledge, we can 
typically only make such guarantees based on underlying computational hardness assumptions. 

Indeed, cryptographic modeling and analysis is typically complex, involving many subtleties and 
details, even when the analyzed protocols are simple. Furthermore, analysis is handwritten and often 
tedious to verify. These factors make security analysis of cryptographic protocols susceptible to errors 
and omissions. (See, for instance, the errors reported in [s02, HMS03]). They are also obstacles to 
analyzing more complex cryptographic protocols and systems that use them. 

One approach to simplifying cryptographic protocol analysis and improving its correctness is to 
model cryptographic primitives as "symbolic operations" , or "ideal boxes" , which represent the security 
properties of the primitives in an idealized way that involves no error probabilities or computational 
issues. This approach, first proposed by Dolev and Yao [dy83] and widely used since, indeed simplifies 
the analysis dramatically. Furthermore, several recent works (e.g., [arOO, bpw03, mw04, Ch04]) have 
demonstrated that this approach can potentially provide cryptographic soundness, in the sense that one 
can transform secure idealized protocols into secure concrete protocols that use concrete cryptographic 
primitives. This approach is quite promising; however, it does not completely remove the need for 
cryptographic analysis of protocols. Rather, it only proves security of the overall protocol assuming 
security of the cryptographic primitives in use. One still has to prove security of these primitives in a 
full-fledged cryptographic model with all its subtleties. Furthermore, a new abstract model has to be 
hand-crafted for each new set of cryptographic primitives to be used. 

This paper proposes an alternative (in fact, complementary) approach to making cryptographic 
protocol analysis more mechanical and rigorous, and thus less susceptible to errors. The idea is to 
directly assert the security of a protocol in a concrete model without abstract cryptography, and where 
security typically holds only for computationally bounded adversaries, and only under computational 
assumptions. Here the goal is to show that the protocol realizes a specification, where the specification 
is in itself described as a distributed process, albeit a more abstract and idealized one. Specifically, 
we propose to express cryptographic protocols, as well as the specification processes, using a variant of 
the Probabilistic I/O Automata (PIOA) framework developed in the concurrency semantics research 
community [sl95, lsv03]. Similarly, we formalize the notion of "realizing a specification" via a variant 
of the standard implementation relation within that framework. 

Several papers have recently proposed the direct mechanization and formalization of concrete cryp- 
tographic analyis of protocols, in a number of different contexts. Examples include representing analysis 
as a sequence of games [s04], as well as methods for mechanizing that process [h05, b05]. Our work 
differs from those in two main respects. First, those papers do not address ideal-process-based notion of 
security, namely they do not address asserting that a protocol realizes a specification process in a stan- 
dard cryptographic sense, and hence do not provide any secure composability guarantees. In contrast, 
our analytical framework provide strong composability guarantees in a natural way. Furthermore, our 
analysis enjoys the extra rigor and detail that underly the PIOA framework. 

Briefly, a PIOA is a kind of abstract automaton. It includes states, start states, and actions, which 
are classified as input, output, or internal actions. Each action has an associated set of transitions, which 
go from states to probability distributions on states. Thus, PIOAs are capable of expressing random 
choice. PIOAs can be composed to yield larger PIOAs; in particular, PIOAs modeling individual 
components of a system may be composed to yield a PIOA model for the entire system. 

Many interesting properties of systems described using PIOAs can be expressed as invariant asser- 
tions, that is, properties of the system state that are true in all reachable states. In the PIOA framework, 
such properties are proved by induction on the length of an execution. The PIOA framework also sup- 
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ports the description of systems at multiple levels of abstraction. It includes notions of implementation, 
which assert that a "low- level" system is indistinguishable from another, "higher-level" system, from the 
point of view of some common "environment" component. The framework also includes various kinds 
of simulation relations, which provide sufficient conditions for proving implementation relationships 
between systems. Like invariants, simulation relations are generally proved by induction. 

In all, the PIOA framework allows for a completely rigorous protocol specification and analysis. 
This stands in contrast to standard cryptographic modeling, where protocols and adversaries are never 
completely and rigorously specified in terms of the underlying formal model. (For instance, protocols 
are practically never described in detail in terms of the actual transition function of an interactive 
Turing machine.) 

We provide some high-level motivation for our proposal to use PIOAs for cryptographic protocol 
analysis. Recall that a typical proof of security of a protocol in a cryptographic model consists of two 
main parts. The first part consists of describing one or more algorithms for an adversary to perform, 
typically given access to another adversary. Such an adversary can be either a "simulator" that has to 
operate in a restricted ("idealized") model, or alternatively, a "reduction," that is, an adversary that 
performs some assumed-to-bc-hard computation. This part of the proof is more "algorithmic" in nature 
and typically requires some level of human creativity. 

The second part of the proof consists of analyzing the adversaries constructed in the first part, 
and proving some claims regarding their behavior. This part is typically more "mechanical", and boils 
down to proving that two different probabilistic distributed systems exhibit the same or very similar 
behaviors. Although the algorithmic part seems relatively hard to mechanize, the analytic part is 
amenable to mechanization (and eventual automation). However, in typical cryptographic proofs, this 
analysis is only sketched, and it is here that many errors and oversights occur. 

In contrast, precise modeling of asynchronous, probabilistic distributed systems, and proving sim- 
ilarity in behavior of different systems, are among the main strengths of the PIOA framework. Thus, 
expressing protocols, simulators, and reductions in the PIOA framework, and using the analytical tools 
from that framework to prove the relevant similarity claims, may take us a long way towards more rig- 
orous, more mechanized, and eventually automated protocol analysis, while maintaining cryptographic 
soundness. 

We exemplify this approach by analyzing a relatively simple protocol for a relatively simple task, in 
a fairly restricted setting. Still, despite its simplicity, this exercise requires dealing with many general 
issues regarding the modeling of cryptographic analysis within the PIOA framework, including repre- 
senting resource-bounded computation and scheduling, modeling computational hardness assumptions, 
representing error probabilities, and resolving several sources of nondctcrminism. Overcoming these 
issues seems to be a prerequisite for performing cryptograpic analysis of any cryptographic protocol in 
the PIOA framework. We hope that the modeling and basic formalisms developed here will provide 
a sound basis for future work in this direction. The next few paragraphs contain a somewhat more 
detailed sketch of the issues involved and of our modeling approach. 

The example. The task we consider is Oblivious Transfer (OT) [r81, egl85], where a transmitter 
inputs two bits (xq,xi), and a receiver inputs a selector bit i. The correctness requirement is that the 
receiver should output x\,. The secrecy requirements are that the receiver should learn nothing but Xi 
and that the transmitter should learn nothing at all. In spite of its apparent simplicity, OT is a very 
powerful primitive. In fact, it has been shown to be complete for multi-party secure protocols, in the 
sense that one can construct protocols for securely realizing any functionality, using OT as the only 
cryptographic primitive (see, e.g., [gmw87, k89]). 

OT is also interesting from an analytical viewpoint, because it imposes secrecy requirements when 
cither party is corrupted, in addition to correctness requirements. (This stands in contrast to the 
often-analyzed example of key exchange, which imposes no secrecy requirements when either party is 
corrupted.) 

We concentrate on realizing OT in the presence of a passive (sometimes called "eavesdropping") 
adversary, where even corrupted parties continue to follow the protocol instructions. Furthermore, we 
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concentrate on non-adaptive corruptions, where the set of corrupted parties is fixed before protocol 
execution starts. The particular OT protocol we analyze is the classic protocol of [egl85, GMW87], 
which uses trap-door permutations (and hard-core predicates for them) as the underlying cryptographic 
primitive. 

The notion of security. We base our definition of cryptographically secure OT (secure against 
passive, nonadaptive adversaries) on Canetti's definition of OT in the Universally Composable (UC) 
security framework [cOl]. In a nutshell, this definition proceeds as follows: First, an ideal OT process 
is defined — a kind of trusted party that receives inputs from both parties and outputs the correct bit to 
the receiver. Then a protocol is defined to be a secure OT protocol if it securely realizes the OT ideal 
system, in the sense that for any adversary A that interacts with the protocol, there exists an adversary 
("simulator") S that interacts with the ideal system, such that no "external environment" £ can tell 
whether it is interacting with the protocol and A, or alternatively with the ideal process and S. 

In our development, we define all the system components — the transmitter and receiver roles in the 
protocol, the ideal process, the adversaries, and the environment — as PIOAs, and formulate indistin- 
guishability using a definition of implementation for PIOAs. 

Modular analysis. The analysis of the protocol is modular, using multiple levels of abstraction in 
describing the systems of interest. Furthermore, the analysis at each level is broken down into many 
relatively simple statements that can be proven separately. This enables a treatment that is completely 
rigorous while being conceptually clear and understandable. 

Resolving nondeterminism. In our PIOA models, the various system components make nondeter- 
ministic as well as probabilistic choices. For example, the order of message delivery by the adversary 
is left unspecified. Also, we allow nondeterminism in the order in which the different components take 
steps. We then say that the protocol is secure if the real system "implements" the ideal system, in 
the sense that for any way of resolving the nondeterminism in the real system, there exists a way of 
resolving the nondeterminism in the ideal system, such that the views of the environment £ in the two 
interactions are the same (or similar). Here we have to make sure that the nondeterministic choices 
do not give the adversaries effective computational power that is not resource bounded. We do this 
by essentially restricting the nondeterministic choices to be resolved independently of the values of the 
inputs and the results of the random choices made during the execution. (Roughly speaking, we say 
that the nondeterminism is resolved "before the execution starts".) 

Resource-bounded adversaries. Capturing resource-bounded adversarial behavior is an essential 
aspect of cryptographic modeling. One concern, mentioned in the previous paragraph, is to make sure 
that the method of resolving nondeterministic choices does not give adversaries "back-door access" to 
"illegitimate computational power" . Another concern is to make sure that, after all the nondeterminism 
is resolved, the operations taken by the adversarial entities in the system are computationally bounded. 
We guarantee this property by explicitly requiring that all the transitions taken by the schedulers and 
the adversarial entities in the system are computationally bounded. We guarantee this property by 
explicitly requiring that all the transitions taken by the schedulers and the adversarial entities in the 
system are computationally bounded. Specifically, we require that all these transitions are (1) length 
preserving, in the sense that the description of the end state is no longer than the description of the 
start state; and (2) computable in probabilistic polynomial time (PPT) in the description of the start 
state. 

Using computational hardness assumptions. To show that the real system "implements" the 
ideal system one has to consider four cases, depending on which of the two parties are corrupted. When 
only the transmitter is corrupted, and when both parties are corrupted, it is possible to show that the real 
system implements the ideal system unconditionally. This allows for relatively straightforward analysis. 
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However, when neither party is corrupted, or when only the reciver is corrupted, implementation can 
be demonstrated only in a "computational sense" , i.e. with respect to PPT adversaries and schedulers. 
Furthermore, implementation can only be proven assuming the security of the underlying trap-door 
permutation /. In order to prove such a statement we follow the cryptographic approach of "proof by 
reduction". That is, given an adversary (or, rather, an "adversarial environment" in our formulation) 
that breaks the desired implementation relation, construct an adversary that inverts the underlying 
trapdoor permutation. 

We take a slightly different approach: We first formulate the security property of the trap-door 
permuation / in terms of an implementation relation on PIOAs. That is, we formulate a "concrete 
TDP" PIOA and an "abstract TDP" PIOA, and then show that if / is a trap-door one-way permutation 
then the concrete TDP PIOA implements the abstract TDP PIOA. Then, the rest of the analysis is 
performed assuming that the concrete TDP PIOA implements that abstract TDP PIOA. This allows us 
to perform the entire analysis in the PIOA framework using the implementation relation and without 
explicit proofs by reduction. 

We remark that the actual analysis involves a few more steps than what is indicated in the above 
sketch. First, instead of using the security of / directly, we use the security of a hard-core predicate B() 
for /. (Recall that any one way function, trap-door permuations being a special case, has a hard-core 
predicate [gl89].) That is, we use the fact that if / is chosen uniformly from a family of one-way trap- 
door permutations, x is chosen uniformly from the domain of /, and b is a uniformly chosen bit, then 
the triple (/, /(x), B{x)) is polynomial-time indistinguishable from the triple (/, f{x), b). Furthermore, 
we use the fact that seeing two hard-core bits of two pre-images of randomly chosen values is still 
indistinguishable from seeing two random bits. 

Extending the PIOA framework. Following the usual proof methods for distributed algorithms, 
we have decomposed our proofs into several stages, with general transitivity results used to combine 
the results of the stages. A feature of our proofs is that complicated reasoning about particular cryp- 
tographic primitives — in this case, a hard-core predicate — is isolated to a single stage of each proof. 

Producing this proof required us to develop two new kinds of theory: First, we extended traditional 
PIOA theory in two ways: 

• We defined a new notion of tasks, which provide a mechanism to resolve nondctcrministic choices. 

• We defined a new kind of simulation relation, which corresponds probability distributions on 
states at two levels of abstraction, and which allows splitting of distributions in order to show 
that individual steps preserve the correspondence. 

Second, we developed a new theory for time-bounded PIOAs, specifically: 

• We defined time-bounded PIOAs, which impose time bounds on the individual steps of the PIOAs. 

• We defined a new approximate, time-bounded, implementation relationship between time-bounded 
PIOAs, which is sufficient to capture the typical relationships between cryptographic primitives 
and the abstractions they are supposed to implement. 

In the multi-stage proofs, most of the stages represent exact (not approximate) implementations; 
we prove all these using standard PIOA theory, extended with our new simulation relation. The 
techniques for showing this are fairly standard in the distributed algorithms research literature, based 
on proving invariants and simulation relationships by induction on the number of steps in an execution. 
The remaining stages involve replacement of a cryptographic primitive with a random counterpart; 
we prove that these satisfy our approximate implementation relationship. The techniques for showing 
this are based on recasting the definitions of the cryptographic primitives in terms of approximate 
implementation relationships, and then combining these primitives with other components in various 
ways that preserve the implementation relationships. Transitivity results allow us to combine all the 
implementation relationships proved at all the stages to obtain an overall approximate implementation 
relationship between the Oblivious Transfer algorithm and its property specification. 
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2 Informal Description 

We consider an oblivious transfer protocol in which a transmitter T sends two bits (xo, X\) to a receiver 
R who decides to receive only one of them, while preventing T from knowing which one was delivered. 
The following is an informal description of the desired behavior: 



Oblivious Transfer Functionality T 

On inputs (#o,£i) from T, record (xo,Xi) 

On input i from R, send Xi to R 



We analyze the following protocol for realizing this functionality. The protocol was first proposed in 

[gmw87]. 

Oblivious Transfer Protocol 



On inputs (xq,x\) for T and i for R. 

T selects a random trap-door permutation f : D —> D 

1. T-> R: f 

R selects two random elements yo,yi G D 

2. R^T: (/ 1 - i (ito),/*(i/i)) 
T receives these values as (z , z{) 

'i.T^R: {B{f- 1 {z ))®x ,B{f- 1 {z 1 ))®x 1 ) 
where B is a hard-core predicate for /. 
R receives these values as (bo, b\). 
Finally, R outputs B(yi) (Bh. 



At a very high level, the analysis proceeds as follows. We define two systems, the "real system", 
which captures the protocol execution, and the "ideal system" which captures the ideal specification 
for OT. Showing that the protocol is correct and secure amounts to showing that the real system 
"implements" the ideal system, in a certain sense. 

In the real system, we consider an adversary A interacting with the two parties T and 1Z executing 
the protocol. All communications between T and 1Z are mediated by the adversary A. An environment 
£ supplies inputs and receives outputs to/from T and 1Z, and also interacts with A. In the security 
literature, all the parties are usually described as Interacting Turing Machines (ITMs), which interact 
by sharing input and output tapes. The adversary is activated first, and can write on the input tape of 
one other ITM. Then, when it stops, the ITM which had its input tape written on is activated, and so 
on. 

Besides deciding how the messages arc transmitted, the adversary A can decide to corrupt a party, 
in which case he gains access to the inputs of that party. In this paper, we restrict attention to the 
case of a semi-honest adversary, which means that the parties continue to follow the protocol definition 
even after being corrupted. Furthermore, we will assume that the adversary is static, in the sense that 
it decides which parties to corrupt before the beginning of the protocol execution. 

In the ideal system, we consider a simulator S interacting with an ideal functionality T , which is 
an incorruptible trusted party that is assumed to perform the protocol task. The simulator S and the 
functionality T also interact with the same environment £ as in the real system. The simulator S has 
access to the inputs and outputs of the corrupted parties. 

We say that the protocol consisting of T, 1Z securely realizes the functionality T if, for any adversary 
A and any environment £, there exists a simulator S such that the real system consisting of T, 1Z, A 
and £ "looks like" the ideal system consisting of T, S, and £, from the point of view of the environment 
£. 

In showing that such a real system looks like a corresponding ideal system, the simulator is generally 
constructed in terms of variants of the adversary, transmitter, and receiver in the real system. 

In the rest of this paper, we develop these ideas formally, in terms of Probabilistic I/O Automata. 
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3 Mathematical Foundations 

This section contains mathematical foundations for the rest of the paper, starting in Section 3.1 with 
preliminary definitions for sets, functions, and probability measures. Then, in Section 3.2, we review def- 
initions and results for PIOAs. We introduce our new "task" mechanism for resolving nondctcrminism 
in PIOAs in Section 3.3, which leads to a definition of task-PIOAs. Section 3.4 introduces time-bounded 
task-PIOAs, that is, task-PIOAs whose computation time is bounded by particular functions. Finally, 
Section 3.5 introduces families of time-bounded task-PIOAs, with polynomial-time task-PIOAs as a 
special case. 

3.1 Preliminaries 

3.1.1 Sets, functions etc. 

We write R- and R + for the sets of nonnegative real numbers and positive real numbers, respectively. 

If X is any set, then we denote the set of finite sequences and infinite sequences of elements from 
A by X* and X", respectively. If p is a sequence then we use \p\ to denote the length of p. We use A 
to denote the empty sequence (over any set). 

If R is an equivalence relation over a set X, then we write x =r x' provided that x and x' are in 
the same equivalence class. We sometimes write S <G R if S is an equivalence class of R. 

3.1.2 Probability measures 

We present the basic definitions that we need for probability measures. We also define three operations 
involving probability measures: flattening, lifting, and expansion. We use these in defining a new kinds 
of simulation relation for task-PIOAs, in Section 3.3.8. All of these have been defined elsewhere, for 
example, [lsv03, JL91]. 

Basic definitions: A cr-field over a set A is a set T C 2 X that contains the empty set and is closed 
under complement and countable union. A pair (X, T) where T is a cr-field over X, is called a measurable 
space. A measure on a measurable space (X,T) is a function p : T — ► [0, oo] that is countably additive: 
for each countable family {Aj}j of pairwise disjoint elements oiT, /x(UjXj) = X^M-^»)- A probability 
measure on (X,T) is a measure on (X,T) such that p(X) = 1. A sub-probability measure on (X,T) is 
a measure on (X,T) such that p(X) < 1. 

A discrete probability measure on a set A is a probability measure p on (X,2 X ), such that, for 
each C Q X, p{C) = X^cecMI })- A discrete sub-probability measure on a set X, is a sub-probability 
measure p on (A, 2 X ), such that for each C C X, p(C) = X)cec ^({ c })- We define Disc(X) and 
SubDisc(X) to be, respectively, the set of discrete probability measures and discrete sub-probability 
measures on X. In the sequel, we often omit the set notation when we denote the measure of a singleton 
set. 

A support of a probability measure p is a measurable set C such that p(C) = 1. If p is a discrete 
probability measure, then we denote by supp(p) the set of elements that have non-zero measure; supp(p) 
is a support of p. We let 8(x) denote the Dirac measure for x, the discrete probability measure that 
assigns probability 1 to {x}. 

Given two discrete measures pi,p2 on (A, 2 X ) and (Y, 2 Y ), respectively, we denote by p\ x pi the 
product measure, that is, the measure on (X x Y, 2 XxY ) such that p\ x pi(x,y) — pi(x) x pziy) for 
each x G A, y e Y. 

A function / : A — > Y is said to be measurable from (A, Tx) — ► (X, -TV) if the inverse image of each 
clement of Ty is an clement of Tx , that is, for each C € ^V, / _1 (C) € J^x- In such a case, given a 
measure p on (A,^-), the function f(p) defined on Ty by f(p)(C) = p(f~ 1 (C)) for each C € 3^ is a 
measure on (Y,Ty) and is called the image measure of p under /. 
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Lemma 3.1 Let f be a measurable function from (X , Tx) to {Y,Ty)- Let {pi\i^i be a countable family 
of measures on (X,Tx), and let {pi\nzi be a family of non-negative values. Then f(^2 ie jPiPi) = 
i2ielPif(Pi)- 

Flattening: The first operation, which we call "flattening" , takes a discrete probability measure over 
probability measures and "flattens" it into a single probability measure. 

Let r\ be a discrete probability measure on Disc(X). Then the flattening of 77, denoted by flatben(rj), 
is the discrete probability measure on X defined by flatten(rj) = 'Yl, tl ^Disc(x) r l{p)P- 

Lemma 3.2 Let rj be a discrete probability measure on Disc(X) and let f be a function from X to Y . 
Then f(flatten(i])) = flatten(f(ri)). 

Proof. By the definition of flattening, f(flatten(rj)) = f{Y^u£Disc(x) v{p)p)- By distributing /, 
we obtain that this is equal to ^2u£Disc(x) r l{t l )f{t L )- By rearranging terms in this last expression, 
we obtain that f {flatten^)) = Y] aemsc(Y) E M e/-i( CT ) ^OK Now, E P e/-i( CT ) v(p) = f(v)(<r), which 
implies that f(flatten(n)) = Y^aeDisc(Y) f( r l)( a ') (7 - But the right-hand expression is the definition of 
flatten(f(-n)), as needed. □ 

Lemma 3.3 Let {??i}ie/ be a countable family of measures on Disc(X), and let {pi}i^i be a family of 
probabilities such that ^2 ieI Pi = 1. Then flatten(^2 ieI p i r] i ) — ^2 ieI Piflatten(r)i). 

Lifting: The second operation, which we call "lifting" , takes a relation between two domains X and 
Y and "lifts" it to a relation between discrete measures over X and Y. We allow the correspondence to 
be rather general: we express it in terms of the existence of a weighting function on elements oflxy 
that can be used to relate the two measures. 

Let R be a relation from X to Y. The lifting of R, denoted by C(R), is a relation from Disc(X) to 
Disc(Y) such that /j,\ C(R) \xi iff there exists a function w : X xY ^ R-°, called a weighting function, 
such that 

1. for each x G X and y € Y , w(x, y) > implies x R y, 

2. for each x G X, ^2 v vj(x,y) = p,\(x), and 

3. for each y G Y, J2 x w(x,y) = {i 2 {y)- 

Expansion: Finally, we have the third operation, the "expansion" operation, which is the one we use 
directly in our new definition of simulation relations. The expansion of a relation R relates a measure on 
X to a measure on Y provided that the two measures can be "expanded" into corresponding measures 
on measures. Here, the correspondence between the two measures on measures is rather general, in 
fact, we express it in terms of the lifting operation. 

Let R be a relation from Disc(X) to Disc(Y). The expansion of R, denoted by £(R), is the relation 
from Disc(X) to Disc(Y) such that /xi £{R) pi iff there exist two discrete measures r\\ and 772 on 
Disc(X) and Disc(Y), respectively, such that 

1. fix = flatten(r]i), 

2- A*2 = flatten(ri2), and 

3. 771 C(R) i] 2 . 

The following lemma provides an equivalent characterization of the expansion relation: 

Lemma 3.4 Let R be a relation on Disc(X) x Disc(Y). Then [i\ £{R) [i 2 iff there exists a count- 
able index set I , a discrete probability measure p on I , and two collections of probability measures 
{lAi,i}i,{p>2,i}i such that 
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2- P2 = J2 ie iP(i)P2,i, and 
3. for each i £ I, p\^ R p 2y i- 

Proof. Let p\ £(R) p 2 , and let 771 , 772 and w be the measures and weighting functions used in the 
definition of £{R). Let {(/xi^, //2,»)}»e/ be an enumeration of the pairs for which to(/ii,i,/Z2,») > Oj and 
let p(i) be w(jUi,i,M2,i)- Then p, {(jUi,i)}ie/, and {(M2,j)}ie/ satisfy Items 1, 2, and 3. 

Conversely, given p, {(jUi,i)}iei, and {(/«2,j)}ieJ, define ^(jj) to be Si| M = Ml , 4 K*)j ^C^) to be 
E 4 | M=M2 . i P( i )> and dcnnc w (m'i,M 2 ) to bc Z)i|^= MMl ^= M2]i PW- Thcn > ^1^2 and w satisfy the proper- 
ties required in the definition of £{R). □ 

The next, rather technical lemma gives us a sufficient condition for showing that a pair of functions, 
/ and g, transforms £(_R)-rclatcd probability measures p\ and /12 to other £(_R)-rclatcd probability 
measures. The required condition is that / and g convert each pair p\,p2 of i?-related probability 
measures that appear in a "proof" that p,\ £(R) P2 to £(i?)-related probability measures. We will use 
this lemma in the soundness proof for our new kind of simulation relation, in Lemma 3.51; there, the 
two functions / and g apply corresponding sequences of tasks to corresponding measures on states. 

Lemma 3.5 Let R be a relation from Disc(X) to Disc(Y), and let f,g be two functions on Disc(X) 
and Disc(Y), respectively. Let \x\ and p,2 be two measures, on Disc(X) and Disc(Y) respectively, such 
that p\ £{R) fJ>2, and let r\\, 772, and w be a pair of measures and a weighting function that "prove" that 
pi £{R) /i2- Suppose further that, for any two distributions p\ G supp(ni) and P2 G suppfa) such that 
w(pi,p 2 ) >0, f( Pl )£(R) g(p 2 ). 
Then f(in) £(R) g(p 2 )- 

Proof. For each p\ G supp(ji\) and p 2 € supp{r]2) such that w(pi, p 2 ) > 0, let (j7i) P1iP2 , {■q2) Pl . P2 , and 
w plP2 be a pair of measures and a weighting function that prove that /(pi) £ (R) g{p2)- We know that 
these are well-defined since, by assumption, f(pi) £{R) g{p2) whenever w(pi,p 2 ) > 0. Let W denote 
the set of pairs (pi,p 2 ) such that w{p\,p 2 ) > 0. 

Let n[ = E( Pl , P2 )evi/ u; (^i^2)(77i)pi,P2 and lct V2 = J2( Pl , P2 ) e w w{pi,p2){m) Pl , P2 - Lct w ' = 

T,(p uP2K W W (Pl'P2)w P u P 2- 

We show that r)[, r] 2 , and w' prove that f(pi) £{R) 3(^2)- 

1- /(Mi) = flatten(rj[). 

By definition of 77^, flatten^) = flatten(J2( PuP2 )ew w (Pii P2)(m) P i,p 2 )- By Lemma 3.3, this is in 
tumcqualtoJ2( PuP2 )ew' w (Pi'P^f latten (M(puP2))- % definition of (771) ( Pl , P2 )), flatten((rn) (puP2) ) = 
/(pi), so we obtain that flatten^) = J2( Pl , P2 )ew w (pi> P2)f{pi)- 

We claim that the right side is equal to f(p\): Since p\ = flatten(r)i), by the definition of flatten- 
ing, Pi = Y. Pl eD lS c(x) Vi(Pi)Pi- Then, by Lemma 3.1, f(pi) = J2 Pl eDisc(X) Vi(Pi).f(Pi)- By defi- 
nition of lifting, 771 (pi) = J2 P2 eD lsc (Y) w (pi,P2); therefore, /(/ii) = E Pl6 /j lsc( x) J2 P2 eDtsc(Y) w iPu P2)f{pi), 
which is equal to J2( PuP2 ) eW w(pi,p 2 )f(pi), as needed. 

2 - 9{P2) = flatten(ri' 2 ). 
Analogous to the previous case. 

3. r)[ L{R) n 2 using w' as a weighting function. 

We verify that w' satisfies the three conditions in the definition of a weighting function: 

(a) Let p'i,p 2 be such that w'(p' 1 ,p' 2 ) > 0. Then, by definition of w' , there exists at least one 
pair (pi,p 2 ) G-R such that w PltP2 (p' 1 , p' 2 ) > 0. Since w Pl . P2 is a weighting function, p[ R p 2 
as needed. 
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(b) By definition of w' , T, P ' 2 eDisc(Y) w '(Pi> P'-i) = E P2 eD* sc (y) E( Pl:P2 ) w (Pi> P2)w PuP2 (p[, p' 2 ). 
By rearranging sums and using the fact that u> Pl . P2 is a weighting function, we obtain that 
J2 P ' 2 eDtsc(Y) w '(p'nP'2) = E( Pl , P2 ) w(Pi,P2)(vi) Pi , P2 (Pi)- (Specifically this uses the fact that 
J2p> 2 eDisc(Y) w pi,P2(Pii P2) = {Vi)pi, P 2(p'i)-) This suffices since the right-hand side is the 
definition of rj[ (p[ ) . 

(c) Symmetric to the previous case. 

□ 

3.2 Probabilistic I/O Automata 

This section contains standard definitions for PIOAs, extracted from the prior literature — see, e.g., 
[sl95, LSV03]. After presenting the basic definitions of PIOAs and their executions, in Section 3.2.1, 
we give careful definitions for the a-field of execution fragments and the cr-field of traces of a PIOA, 
in Section 3.2.2 In terms of these a-fields, we give careful definitions (and some basic results) for 
probabilistic executions and trace distributions, in Section 3.2.3. The remaining two subsections define 
the composition and hiding operations for PIOAs. 

3.2.1 Basic definitions 

The definition of a PIOA is standard. A PIOA has states, a unique start state, and a set of actions, 
partitioned into input, output, and internal actions. It also has a set of "transitions", which are triples 
consisting of a state, an action, and a discrete distribution on next states. Note that a PIOA may 
exhibit both nondeterministic and probabilistic choices. Nondcterminism appears in the choice of the 
next transition to perform. Probabilistic choice occurs only in the choice of the next state, when a 
particular transition is performed. 

Definition 3.6 A probabilistic I/O automaton (PIOA) is a tuple V = (Q,q,I,0,H, D), where 

• Q is a countable set of states, 

• q € Q is a start state, 

• I is a countable set of input actions, 

• O is a countable set of output actions, 

• H is a countable set of internal (hidden) actions, and 

• D C (Q x (I U O U H) x Disc(Q)) is a transition relation. 

We write A for I U O U H and refer to A as the actions of V . We write E for I U O and we refer to E 
as the external actions of V . We assume that PIOA V satisfies the following conditions. 

1. 1,0 and H are disjoint sets. 

2. Input enabling: For every state q G Q and every action a € I, D contains some triple of the 
form (q,a,u). 

3. Next-transition determinism: For every state q and action a, there is at most one transition 
of the form (q,a,u). We write tr q ^ a to denote this transition, and p q ^ a to denote the target measure 
of this transition, if the transition exists. (Otherwise, these notations are undefined.) 
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Note that the next-transition determinism and the countability of Q, I, O, and H are restrictions that 
are not present in earlier definitions of probabilistic automata [lsv03]. We introduce these in the 
interests of simplicity. Input-enabling is standard. 

We say that an action a is enabled in a state q if D contains a transition (c/, a, n) for some /i. 

We denote the elements of an automaton V by Q-p ,q-p, I-p, O-p , H-p , D-p , Ap and E-p . Often we 
use the generic name V for a generic automaton; in this case we omit the subscripts, writing simply 
Q,q,I,0,H,D,Aa,iid E. 

An execution fragment of a PIOA V is a finite or infinite sequence a — c/o a\ q\ 02 ... of alternating 
states and actions, starting with a state and, if the sequence is finite ending in a state, where for each 
(qi,di + i,qi + i) there exists a transition (g^a^+i, ^1) <G D with q i+1 e supp(^i). If a is a finite sequence, 
then the last state of a is denoted by Istate(a). If a is an execution fragment of V and a is an action 
of V that is enabled in lstate{a), then we write tr aM as an abbreviation for tri sta te(a),a- 

An execution of V is an execution fragment whose first state is the start state q. We let frags(V) 
and frags* (V) denote, respectively, the set of all execution fragments and the set of finite execution 
fragments of V '. Similarly, we let execs(V) and execs* (V) denote, respectively, the set of all executions 
and the set of finite executions of V . 

The trace of an execution fragment a of an automaton V, written trace(a), is the sequence obtained 
by restricting a to the set of external actions of V '. We say that f3 is a trace of automaton V if there is 
an execution a of V with trace(a) = f3. 

3.2.2 cr-fields of execution fragments and traces 

In order to talk about probabilities for executions and traces of a PIOA, we need appropriate er-fields. 
We define a cr-field over the set of execution fragments of a PIOA V: 

Definition 3.7 The cone of a finite execution fragment a, denoted by C a , is the set {a' € frags(V) \ a < 
a'}. Then Tp is the a-field generated by the set of cones of finite execution fragments of V . 

Observe that, since Q, I, O, and H are countable, the set of finite execution fragments of "P is countable, 
and hence the set of cones of finite execution fragments of V is countable. Therefore, any union of cones 
is measurable. Observe also that, for each finite execution fragment a, the set {a} is measurable since 
it can be expressed as the intersection of C' a with the complement of Li a '. a<a 'C a i . Thus, any set of 
finite execution fragments is measurable, or, in other words, the discrete cr-field of finite executions is 
included in T-p- 

We often refer to a probability measure on the cr-field T-p generated by cones of execution fragments 
of a PIOA V as simply a probability measure on execution fragments of V '. 

In many places in this paper, we will want to talk about probability measures on finite execution 
fragments, rather than arbitrary execution fragments. Thus, we define: 

Definition 3.8 If e is a probability measure on execution fragments of V , then we say that e is finite 
if the set of finite execution fragments is a support for e. 

Since any set of finite execution fragments is measurable, any finite probability measure on execution 
fragments of V can also be viewed as a discrete probability measure on the set of finite execution 
fragments. Formally, given any finite probability measure e on execution fragments of V, we may define 
a discrete probability measure finite(e) on the set of finite execution fragments of V by simply defining 
finite(e)(a) = e(a) for every finite execution fragment a oiV. The difference between finite(e) and e 
is simply that the domain of e is the set of all execution fragments of V, whereas the domain of finite(e) 
is the set of all finite executions of V '. Henceforth, we will ignore the distinction between finite(e) and 
e. 

Definition 3.9 Let e and e' be probability measures on execution fragments of PIOA V. Then we say 
that e is a prefix of e' ' , denoted by e < e' , if for each finite execution fragment a ofV, e(C a ) < e'(C a ). 
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Definition 3.10 A chain of probability measures on execution fragments of PIOA V is an infinite 
sequence, ei,C2,-"" of probability measures on execution fragments of V such that, for each i > 0, 
£j < e»+i- Given a chain 61,62,... of probability measures on execution fragments of V , we define a 
new function e on the a-field generated by cones of execution fragments ofP as follows: For each finite 
execution fragment a, 

e(C Q ) = lim ei(C a ). 

i — >oo 

Standard measure theoretical arguments ensure that e can be extended uniquely to a probability measure 
on the a-field of cones of finite execution fragments. Furthermore, for each i > 0, ej < e. We call e the 
limit of the chain, and we denote it by lirm^oo ej. 

If a is a finite execution fragment of a PIOA V and a is an action of V, then C aa denotes the set of 
execution fragments of V that start with aa. 

The cone construction can also be used to define a a-field of traces: 

Definition 3.11 The cone of a finite trace (3, denoted by Cp, is the set {/?' G E* U E u \ j3 < f3'}, where 
< denotes the prefix ordering on sequences. The a-field of traces ofV is simply the a-field generated by 
the set of cones of finite traces ofV. 

Again, the set of cones is countable and the discrete a-field on finite traces is included in the a-field 
generated by cones of traces. We often refer to a probability measure on the a-field generated by cones 
of traces of a PIOA V as simply a probability measure on traces of V '. 

Definition 3.12 If t is a probability measure on traces of V , then we say that r is finite if the set of 
finite traces is a support for r. Any finite probability measure on traces of V can also be viewed as a 
discrete measure on the set of finite traces. 

Definition 3.13 Let r and r' be probability measures on traces of PIOA V '. Then we say that r is a 
prefix of t' , denoted by t < t', if, for each finite trace (3 of V , r(Cp) < r'(Cp). 

Definition 3.14 A chain of probability measures on traces of PIOA V is an infinite sequence, n, t 2 , • • • 
of probability measures on traces of V such that, for each i > 0, T{ < Ti+i. Given a chain Ti,T2,... 
of probability measures on traces of V , we define a new function r on the a-field generated by cones of 
traces of V as follows: For each finite trace j3, 

t{C p ) = lim niCfi). 

1 — »oo 

Then r can be extended uniquely to a probability measure on the a-field of cones of finite traces. Fur- 
thermore, for each i > 0, tj < r. We call r the limit of the chain, and we denote it by lim^oo Tj. 

The trace function is a measurable function from the a-field generated by cones of execution frag- 
ments of V to the a-field generated by cones of traces of V . If e is a probability measure on execution 
fragments of V then we define the trace distribution of e, tdist(e), to be the image measure of e under 
the function trace. 

Lemma 3.15 Let ei, £2, • • • be a chain of measures on execution fragments, and let e be lirm^oo e^. 
Then lim^oo tdist(ei) = tdist(e). 

Proof. It suffices to show that, for any finite trace (3, lim^oo tdist(ei)(Cp) — tdist(e)(C fj) . Fix a 
finite trace (3. 

Let O be the set of minimal execution fragments whose trace is in Cp. Then trace -1 (C 'p) = U Qg eCa> 
where all the cones are pairwise disjoint. Therefore, for i > 0, tdist(ei)(Cp) — ^2 ae Q^i(C a ), and 
tdist(e)(C )=Z a£@ e(C a )._ 

Since limits commute with sums, our goal can be restated as showing: X]ae© nmi -*°° £i (^ Q ) = 
^ Qee e(C Q ). Since lirm^oo e, = e, for each finite execution fragment a, lirm^oo €i{C a ) — e(C Q ). 
Therefore, Y, a ee lim i^oo ^(C a ) = Eaee e ( C a), as needed. □ 
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The Istate function is a measurable function from the discrete cr-field of finite execution fragments 
of V to the discrete cr-field of finite traces of V . If e is a probability measure on execution fragments of 
V, then we define the Istate distribution of e, Istate(e), to be the image measure of e under the function 
Istate. 

3.2.3 Probabilistic executions and trace distributions 

Having established some groundwork in Section 3.2.2, we now define the specific probability measures 
on executions and traces that are generated by PIOAs. To define such probability measure, we must 
resolve the PIOA's nondeterminism. For this purpose, we define a "scheduler", which, after any finite 
execution fragment, selects the next transition: 

Definition 3.16 A scheduler for a PIOA V is a function a : frags* (V) — ► SubDisc(D) such that 
(q,a,n) G supp(o~(a)) implies q — lstate(a). 

Definition 3.17 A scheduler a and a finite execution fragment a generate a measure e aa on the a-field 
generated by cones of execution fragments. The measure of a cone C a i is defined recursively as follows: 

{{) if a' ■£. a and a ■£ a' 

1 ifa'<a _ (1) 

e <y.a(C a ")iJL (T i a ii\[a,q) if a' = a"aq and a < a", 

where /Wa")(&><?) * s ^ e probability that o~(a") gives a transition labeled by a and that the reached state 
is q. That is, /j, a t a n) (a, q) = o~(a")(tr a » ta )n a " ta (q). Standard measure theoretical arguments ensure that 
e a ^ a is well-defined. We say that e CTQ , is generated by a and a. We call the state fstate(a) the first 
state o/e CTjQ and denote it by f state(e a a ) . 

If n is a discrete probability measure over finite execution fragments, then we denote by e a ^ the 
measure ^ Q [i{a)e a ^ a and we say that e a ^ is generated by a and /i. We call the measure e CTl(U a 
generalized probabilistic execution fragment of V . 

If supp(fi) is included in the set of states of V , then we call e a ^ a probabilistic execution fragment 
of V . Finally, for the start state q, we call t a ^q a probabilistic execution ofP. 

The following lemmas give some simple equations expressing basic relationships involving the prob- 
abilities of various sets of execution fragments. 

Lemma 3.18 Let a be a scheduler for PIOA V, /i be a discrete probability measure on finite execution 
fragments of V , and a be a finite execution fragment of V ■ Then 



E 

a' <a 



e<T, M (C Q ) = fi(C a ) + 2_^ n{a')e ata >{C a ). 



Proof. By definition of e a ^, e -. M (C Q ) = ^2 a i n{a')e ata '(C a ). Since, by definition, e CTia '(C Q ) = 1 when- 
ever a < a', the equation above can be rewritten as e atfl (C a ) = ^2 a >. a<a i M( a/ ) + Sa'<a t l ( a/ ) e a,a'(C a ). 
Observe that ^2 a /. a<a i M a ') — n(C a ). Thus, by substitution, we get the statement of the lemma. □ 

Lemma 3.19 Let a be a scheduler for PIOA V , ji be a discrete probability measure on finite execution 
fragments of V , and a be a finite execution fragment of V ■ Then 

£<r,n( C a) = MCq - {a}) + ^2 ^{a')e a , a ,{C a ). 

a' <ct 

Proof. Follows directly from Lemma 3.18 after observing that e aa (C a ) = 1. □ 

Lemma 3.20 Let a be a scheduler for PIOA V , and /i be a discrete measure on finite execution frag- 
ments of V . Let a — aaq be a finite execution fragment of V . Then 

e<7,^(Ca) = fJ>{C a ) + (e CTlAJ (Ca) - ju(C a - {a})) cr(d)(ir 5ia ) / u 5;0 (c/). 
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Proof. By Lemma 3.18, by definition of e ff , Q '(C Q ), and by definition of [i a (a) ( a , q), e o-./j(C Q ) = n(C a ) + 
J2a'<al J '(. a ') e °',a'(.C'a)o'((x)(tra,a)lJ'a,a(q)- Observe that the factor <j{a){tra,a)^a,a{q) is a constant with 
respect to a', and thus can be moved out of the sum, soe (T , /J (C Q ) = ^(C a )+(^ a , <a fi(a / )e a -. a >(C a ))(o'(a)(tra t a)fJ<a,a(q))- 
Since a' < a if and only if a' < a, this yields e afl (C a ) — n(C a ) + (X^ a '<s 

M(a') e ^Q'( C 'fi))( '(«)( ir <i,a)M<i,a(g))- 

It suffices to show that X) a '<a A t (cc')e < 7,a'(Ca) — £<t,^(Cq)— ^(C^, — {<5}). But this follows immediately 
from Lemma 3.19 (with a instantiated as a). □ 

Lemma 3.21 Let a be a scheduler for PLOA V, \x be a discrete probability measure on finite execution 
fragments of V , and a be a finite execution fragment of V ■ Then 

e CT ,^(a) = (e<7,^(Ca) ~ K C a ~ {a}))(a(a)(-L)). 

Proof. By definition of e a ^, £ a ,n(<x) = Y] a i /u( a/ ) e o-,a'( a )- The sum can be restricted to a' < a since 
for all other a', e - Q ,/(a) = 0. Then, since for each a' < a, e crQ /(o;) = e crQ ,/(C Q ,)<7(a)(_L), we derive 
e a ^(a) = ^ Q , <Q /i(a')e CTia '(C Q )o'(a)(_L). Observe that a(a)(±.) is a constant with respect to a', and 
thus can be moved out of the sum, yielding e CT , M (a) = (J2 a '<a t l ( a ') e <?,a<(C a ))(<j(a)(-L)). 

It suffices to show that ^ a , <Q ^(a')e <T]Q ,'(C Q ) = e - ) ^(C a )— n(C a — {a}). But this follows immediately 
from Lemma 3.19. □ 

Lemma 3.22 Let a be a scheduler for PLOA V , and \x be a discrete probability measure on finite 
execution fragments of V . Let a be a finite execution fragment of V and a be an action of V that is 
enabled in Istate(a). Then 

ea,n{C aa ) = ^{C aa ) + {e a ^(C a ) - n(C a - {a})) a(a)(tr Q)0 ). 

Proof. Observe that C aa = U q C aaq . Thus, e a ^(C aa ) = Y, q e <y^(C aaq )- By Lemma 3.20, the right- 
hand side is equal to J2 q (K C aa q ) + (e<7, M (C Q ) - fi(C a - {a})) <j(a)(tr a>a )n a>a (q)). Since J2 q K C aa q ) = 
li{C aa ) and ^ q Ha, a {q) = L this is in turn equal to fi(C aa ) + (e cr ^(C Q ) - n(C a - {a})) <j(a)(tr a , a ). 
Combining the equations yields the result. □ 

Next, we consider limits of generalized probabilistic execution fragments. 

Proposition 3.23 Let e 1; e 2 , . . . be a chain of generalized probabilistic execution fragments of a PLOA 
V , all generated from the same discrete probability measure fi on finite execution fragments. Then 
lirrij^oo ti is a generalized probabilistic execution fragment of V generated from fi. 

Proof. Let e denote lim^oo q. For each i > 1, let CTj be a scheduler such that e, = e ffi ,u) an d for 
each finite execution fragment a, let p l a = e ai , ll {C a ) — [i(C a — {a}). For each finite execution a and 
each action a, let p aa = e ai ^(C aa ) - n{C aa ). 

By Lemma 3.22, if a is enabled in Istate(a) then p a (<Ji{a){tr a _ a )) — p l aa , and so, if p l aa ^ 0, then 
o-»(a)(tr a , )) =p l aa /p l aa - 

For each finite execution fragment a, let p a — e(C a ) — fx(C a — {a}). For each finite execution 
fragment a and each action a, let p aa = e(C aa ) — ^(C aa ). Define a(a)(tr a , a ) to be p aa /Pa if Pa > 0; 
otherwise define (j{a){tr a ^ a ) — 0. By definition of e and simple manipulations, liirij_ +00 pj,, = p a and 
limj^oop^ = p aa . It follows that, if p a > 0, then a(a)(tr a ^ a ) — lim i _ 00 <Ji{a)(tr a , a )- 

It remains to show that a is a scheduler and that e CT . M = e. To show that a is a scheduler, we must 
show that, for each finite execution fragment a, a (a) is a sub-probability measure. Observe that, for 
each i > 1, J2tr cr i( a )( tr ) = E a ff i( a )( tr ™)- Similarly, J2tr (7 ( a )( tr ) = Sa cr ( a )( ir aa)- Since each a* is 
a scheduler, it follows that, for each i > 0, J2 a ^Wt^aa) — 1- Thus, also lim^oo ^ a cri(a)(tr aa ) < 1. 
By interchanging the limit and the sum, we obtain ^ a linii^ 00 <Ji{a)(tr aa ) < 1. 

We claim that cr(o;)(ir Q ,, a ) < lirn^oo Cj(a)(ir Q!a ), which immediately implies that cr(a)(tr aa ) < 1, 
as needed. To see this claim, we consider two cases: If p a > 0, then as shown earlier, o-(a){tr a ^ a ) = 
lirn^oo o~i(a)(tr a a ), which implies the claim. On the other hand, if p a — 0, then a(a)(tr aa ) is defined 
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to be zero, so that o~(a)(tr a _ a ) = 0, which is less than or equal to lim^oo <7i{a){tr a ^ a ) 1 which again 
implies the claim. 

To show that e a _^ = e, we show by induction on the length of a finite execution fragment a that 
e <j,n(Ca) — € (C a )- For the base case, let a consist of a single state q. By Lemma 3.18, e a ^(C q ) = n(C q ), 
and for each i > 1, e CT . iA1 (Cq) = n(C q ). Thus, e(C q ) = lim^oo e a .^(C q ) — n(C q ), as needed. 

For the inductive step, let a = oiaq. By Lemma 3.20, 

lim e CTl , M (C Q ) = lim (n(C a ) + (e ai ^(C & ) - [i(C & - {a})) o-i(a)(tr^ a )^ a (q)) , 

i — >oo i — »oo 

Observe that the left side is e(C a ). By algebraic manipulation, the equation above becomes 
e(C a ) = [i(C a ) + ( ( lim e - i ,u(C a )) - fi(C & - {a})) ( lim cr l (a)(tr 5ja ) ) /J,& ya (q). 

\ \i — >oo / / \i — >oo / 

By definition of e, lim^oo e ai4i {Ca) = e(Ca), and by inductive hypothesis, e(C'a) = e CT ./i(Ca)- Therefore, 
e(C Q ) = ii(C a ) + (e (r ,u(C 5 ) - n(C & - {a})) ( lim <Ji(a)(tr & . a ) ) H&Al)- 

\i — >oo / 

Also by Lemma 3.20, we obtain that 

e<r,n(Ca) = M(Ca) + {e<r,n(C&) - K c & - {«})) cr{a){tr &ta )n a ^{q). 

We claim that the right-hand sides of the last two equations are equal. To see this, consider two 
cases. First, if Pa > 0, then we have already shown that lim^oo <Ji(a)(tra, a ) — c(a(ira ja )). Since these 
two terms are the only difference between the two expressions, the expressions are equal. 

On the other hand, if Pa = 0, then by definition of Pa, we get that e{Ca) — ^{Ca — {<5}). Then the 
second terms of the two right-hand sides are both equal to zero, which implies that both expressions 
are equal to the first term /z(C Q ). Again, the two right-hand sides are equal. 

Since the right-hand sides are equal, so are the left-hand sides, that is, e ff . M (C Q ) = e(C Q ), as needed 
to complete the inductive hypothesis. □ 

We denote the set of trace distributions of probabilistic executions of a PIOA V by tdists^). 

3.2.4 Composition 

We define composition for PIOAs: 

Definition 3.24 Two PIOAs Vi and V 2 are compatible if H x n A 2 = A t n H 2 = Oi n 2 = 0. The 
composition of two compatible PIOAs V\ and V 2 , denoted byVi\\V 2 , is the PIOA V = (Q, q, I, O, H, D) 

where 

• Q = Qi* Q 2 , 

• Q= (91,92), 

• I={h U h) - {Ox U 2 ), 

• = (0!U0 2 ) ; 

• H = {Hx U H 2 ), 

• D is the set of triples {{qi, q 2 ), a, [i\ x fi 2 ) such that for i € {1,2}, if ai is an action ofVi, then 
(qi,a,/u,i) £ Di, and if ai is not an action of Vi then fii = 5(qi). 

If q = (qi,q 2 ) is a state of V then for i £ {1,2}, we write q \Vi to denote qi. We extend the definition 
of composition and the [ notation to any finite number of arguments, not just two. 
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3.2.5 Hiding 

We define a hiding operation for PIOAs, which hides output actions. 

Definition 3.25 Let V = (Q,q,I,0, H, D) be a PIOA and SCO. Then hide(V,S) is the PIOA V 
that is is the same as V except that O-pi = O-p — S and H-p = Up U S . 

3.3 Task-PIOAs 

In this section, we introduce a new "task" mechanism for describing the resolution of nondetermin- 
ism. For general PIOAs, we already have a notion of "scheduler", which can use arbitrary knowledge 
about the past execution in choosing a specific next transition. Such a scheduler is very powerful — too 
powerful for the security protocol setting. In particular, a scheduler's choice of transition may depend 
on information that is supposed to be kept secret from the adversarial components. Moreover, the 
scheduler has very fine-grained control over the precise choice of transition. 

To reduce the power of the scheduler, we here define "task-PIOAs" , which provide equivalence 
relations on the actions and on the states of the PIOAs. The action equivalence relation classifies the 
actions into "tasks" , which are units of scheduling. The state equivalence relation helps us to express 
certain technical restrictions on the transitions. This aggregation will be used to weaken the power of 
the scheduler, by forcing it to ignore differences such as results of secret random choices. 

We begin by defining task-PIOAs, in Section 3.3.1. Then we define task schedulers, in Section 3.3.2, 
which are a variant of our schedulers with coarser granularity (they schedule tasks rather than specific 
transitions). Section 3.3.3 defines directly how a task scheduler generates a probability measure on 
execution fragments, for a closed task-PIOA. Then, in a rather lengthy diversion, it relates this definition 
to the more traditional definitions for PIOAs, by showing that the resulting probability measure is in 
fact generated by some traditional scheduler. The next two sections define composition and hiding, for 
task-PIOAs. 

Then, we develop our notions of implementation between task-PIOAs. In Section 3.3.6, we define 
the notion of an "environment" for a task-PIOA. We use this, in Section 3.3.7, to define what it means 
for one task-PIOA to implement another. Finally, in Section 3.3.8, we define our new kind of simulation 
relation between closed task-PIOAs, and prove that it is sound with respect to our implementation 
notion. 

3.3.1 Task-PIOAs 

Definition 3.26 We define a task-PIOA, to be a triple T '= (V,RA,RS), where 

• V = (Q,q,I,0,H,D) is a PIOA (satisfying next-transition determinism). 

• RA is an equivalence relation on the action set A. 

We refer to the equivalence classes of RA as tasks. We require that RA respect action types: each 
T G RA is a subset of I, O, or H. We refer to the tasks as input tasks, output tasks, or internal 
tasks, respectively. 

• RS is an equivalence relation on the state set Q. 

A task T is enabled in a state q if there is some action that is enabled in q. A task T is enabled in 
a set of states S provided that T is enabled in every q G S. 

We require a task-PIOA to satisfy the following (rather strong) conditions: 

1. Next-action determinism: For every state q G Q and every output or internal task T G RA, 
there is at most one action a G T that is enabled in q 

2. Random-choice consistency: If (q, a, /i) € D, then supp(/j.) C S for some S € RS. 
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3. Transition consistency: Suppose that qi —us qi, <X\ =ra 0-2, {(<7i> «1, Ml), (<Z2, 02,^2)} C D, 
then supp(pi) U supp{p2) Q S for some S G RS. 

4- Enabling consistency: If qi =rs 12, a i G OUH, and (q\,a\,p,\) G D, then there exists a 
transition (92,02,^2) G -D swc/i i/iai ai =_ra a,2- 

We denote the relations RA and i?5 of a task-PIOA T by i?Ar and RSt- If S 1 is a set of states 
of V such that all states in S are -RS'-equivalent , then we write [S]t to denote the unique equivalence 
class S' G RS such that S' C S". Similarly, if /1 is a discrete distribution on states of V such that all 
states in supp(p) are i?S'-equivalent, then we write [p\x to denote the unique equivalence class <S" G RS 
such that supp(p) C S". We drop the subscript T when we think it should be clear from the context. 

The non-probabilistic executions and traces of a task-PIOA T = (V, RA, RS) are defined to be the 
executions and traces of the underlying PIOA V. 

3.3.2 Task Schedulers 

Here we define our notion of a "task scheduler" , which chooses the next task to perform. For a closed 
task-PIOA (that is, one with no input actions), a task scheduler resolves all nondctcrminism, because 
of the next-action determinism property of task-PIOAs and the next-transition determinism property 
of general PIOAs. 

In this paper, our notion of task scheduler is oblivious — that is, it is just a sequence of tasks. In 
the security protocol setting, we would like also to consider task schedulers that can depend on partial 
information about the past execution, in particular, on the portion of the execution that is visible 
to the adversarial components. However, this extension will require significant generalizations to the 
machinery with have developed so far, and we leave it for future work. 

Definition 3.27 Let T = (V,RA,RS) be a closed task-PIOA where V = (Q,q,I,0,H,D). A task 
scheduler for T is defined to be a finite or infinite sequence p = T\ Ti ... of tasks in RA. 

3.3.3 Probabilistic executions and trace distributions 

We next describe how a given task scheduler generates a generalized probabilistic execution fragment 
given a starting measure /i on finite execution fragments. We do this by defining a function apply(, ) 
that takes a discrete measure [i on finite execution fragments and a task scheduler p and returns the 
result of applying p from p, which is a measure on execution fragments. We define apply(, ) first for 
the empty sequence of tasks, then for a single task, then for a finite sequence of tasks, and finally for 
an infinite sequence of tasks. 

Definition 3.28 Let T = (P,RA,RS) be a closed task-PIOA where V = (Q,q,I,0,H,D). Then 
apply{, ) is a function that takes a discrete probability measure on finite execution fragments and a task 
scheduler and returns a probability measure on execution fragments. It is defined recursively as follows: 

1. apply(p, A) = /1 (recall that A is the empty sequence). 

2. If T is a single task, then for each finite execution fragment a, apply{p,T){a) = p\{a) + p2^a), 
where: 

, . J p(a')p(q) if a can be written as a' a q, where a' E supp(p),a G T, and (lstate(a'),a, p) £ D-p. 
1 otherwise. 

Next-transition determinism implies that there can be only one such transition, so p\ is well- 
defined. 

p(a) if T is not enabled in lstate(a), 



P2{a) —in 

1 (J otherwise. 

3. If p is a finite sequence of tasks p'T, then apply (p, p) — apply {apply {p , p'),T). 
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4- If p is an infinite sequence, then let pi be the prefix of p consisting of the first i tasks of p, and let 
€i be apply(p,pi). Then apply(p, p) — lim i _ >00 (e i ). 

Lemma 3.29 Let T = (V , RA, RS) be a closed task-PIOA, and let p be a finite task scheduler. Let 
qi and 02 be two states of V such that q\ =rs qi- Let p\ and \xi be the discrete distributions on finite 
execution fragments apply{q\, p) and apply{q2,p). 
Then supp(lstate(p,i)) U supp{lstate{p2)) Q S, for some S € RS . 

Proof. By induction on the length of p, using the enabling-consistency and transition-consistency 
properties for task-PIOAs. □ 

We now prove that apply{p, p) returns a generalized probabilistic execution fragment generated by 
p (and some ordinary scheduler). This result is stated as Proposition 3.40. Our proof uses a series of 
auxiliary lemmas. 

Lemma 3.30 Let T = (V, RA, RS) be a closed task-PIOA. Let p be a discrete probability measure over 
finite execution fragments ofV and letT be a task. Let pi and P2 be the functions used in the definition 
of apply (p, T) . Then: 

1. For each state q, Pi(q) = 0. 

2. For each finite execution fragment a, p(a) = p 2 {a) + J2(a, q ):aaqefrags*(v)P^ aa< l)- 

Proof. For Part 1, the fact that pi(q) — for each state q follows trivially by definition of pi(q). 
For Part 2, consider a finite execution fragment a. We observe the following facts: 

1. If T is not enabled from Istate(a), then, by definition of P2, p(a) — P2(ct). Furthermore, for each 
action a and each state q such that aaq is an execution fragment, we claim that pi(aaq) = 0: 
Indeed, if a ^ T, then the first case of the definition of p\(a) trivially does not apply; if a € T, 
then, since T is not enabled from Istate(a), there is no p such that (lstate(a),a, p) € T)-p, and 
thus, again, the first case of the definition of p\(a) does not apply. 

2. If T is enabled from Istate(a), then, trivially, P2(ct) — 0. Furthermore, we claim that p{a) — 
S( a q )Pi( aa( l) : Indeed, there exists only one action b <E T that is enabled from Istate(a). By 
definition of p±, p\(aaq) = if a =/= b (either a ^ T or a is not enabled from Istate(a)). Thus, 
J2( aq )Pi( aa( i) = J2 q Pi( ab( l) = J2 q M {a)Pa.b{q) ■ This in turn is equal to p(a) since Y.q^afiiq) = 
1. 

In each case, we get p{a) = P2(ci) +J2(aq) Pi{ aa< l)i as needed. □ 

Lemma 3.31 Let T = (V, RA, RS) be a closed task-PIOA. Let p be a discrete probability measure over 
finite execution fragments and p be a finite sequence of tasks. Then apply(p, p) is a discrete probability 
measure over finite execution fragments. 

Proof. By a simple inductive argument. The key part of the inductive step consists of showing that, 
for each measure e on finite executions fragments and each task T, apply{e, T) is a probability measure 
over finite execution fragments. 

Let e' be apply(e,T). The fact that e' is a measure on finite execution fragments follows di- 
rectly by Item 2 of the definition of apply{,). To show that e' is in fact a probability measure, we 
show that J2 a efrags'(v) e '( a ) = l - B y Itcm 2 of thc definition of apply(,), J2 a efrags'(v) e '( a ) = 
Eae/ra SS *(p)bi( Q; )+P2(a))- By rearranging terms, T, a efra gs *(r) e '( a ) = E q Pi(<l)+E a efrags'(v)(P^ a )- 

J2(a,q): a a q efrags*(V)Pl( aa( l))- B y kmma 3 - 30 > thc ri S ht sidc bcCOmCS J2 a efrags' (V) £ (») ■ SinCC 

Eae/™ gs *(p) < a ) = x . thcn also J2 a e frags* (v) e '( a ) = *> as needed. □ 

Lemma 3.32 Let T = (V, RA, RS) be a closed task-PIOA. Let p! = apply(p, T). Then, for each finite 
execution fragment a: 
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1. If a consists of a single state q, then p'(C a ) = p(C a ). 

2. If a — aaq and a £T, then p'(C a ) = p(C a ). 

3. If a = aaq and a G T, then p'(C a ) = p(C a ) + p(a) p&,a(q) ■ 

Proof. Let pi and pi be the functions used in the definition of apply{p,T), and let a be a fi- 
nite execution fragment. By definition of a cone and of p! , p'(C a ) = ^2 a i\ a < a t(pi{oi) +^2(0:)). By 
definition of a cone and Lemma 3.30, p{C a ) = J2 a '\ a < a '(P^( a ') + T.(a., q ): a 'a q efrags*(v)P^ a ' ac i)) = 
Ea'i a <Q'(Pi( a ') + P2( a ')) — Pi( a )- Thus, p' (C a ) — p(C a ) + P\ (a). We distinguish three cases. If a 
consists of a single state, then p\(a) — by Lemma 3.30, yielding p'{C a ) = p(C a ). If a = aaq and 
a ^ T, then p\(a) = by definition, yielding p'{C a ) — p(C a ). Finally, if a = aaq and a G T, then 
pi(a) = n{a)Ha,a{q) by definition, yielding //(C Q ) = n(C a ) + fi(a)fj, &>a (q). □ 

Lemma 3.33 Let T = (V,RA,RS) be a closed task-PIOA. Let fi be a discrete measure over finite 
execution fragments, T a task, and \j! = apply (n,T). 
Then /j, < // . 

Proof. Follows directly by Lemma 3.32. □ 

Lemma 3.34 Let T = (V,RA,RS) be a closed task-PIOA. Let fi be a discrete measure over finite 
execution fragments and let p\ and pi be two finite sequences of tasks such that p\ is a prefix of pi. 
Then apply '(/i.Pi) < a PP l v(p-,Pi)- 

Proof. Simple inductive argument using Lemma 3.33 for the inductive step. □ 

Lemma 3.35 Let T = (V,RA,RS) be a closed task-PIOA. Let fi be a discrete measure over finite 
execution fragments. Then apply(fi, A) is a generalized probabilistic execution fragment generated by p. 

Proof. Follows directly by the definitions by defining a scheduler a such that a(a)(tr) — for each 
finite execution fragment a and each transition tr. □ 

Lemma 3.36 Let T = (V, RA, RS) be a closed task-PIOA. Let p be a discrete probability measure over 
finite execution fragments ofV,pa task scheduler for T , and q a state of T . 
Then apply <(p, p)(C q ) = p{C q ). 

Proof. We prove the result for finite p's by induction on the length of p. Then the result for infinite 
p's follows by limit. The base case is trivial since, by definition, apply(fi, p) = /j. For the inductive 
step, let p = p'T, and let e be apply(p, p 1 ). By definition of apply(,), apply {p, p) = apply(e,T). By 
induction, e(C q ) — p(C q ). We show that apply (e,T)(C q ) = e(C g ), which suffices. 

Let e' be apply(e,T). By definition of cone, e'{C q ) = ^2 a . a < a e'(o;). Since, by Lemma 3.31, both 
e and e' are measures over finite execution fragments, we can restrict the sum to finite execution 
fragments. Let p\ and P2 be the two functions used for the computation of e'(a) according to Item 2 in 
the definition of apply(e,T). Then e'(C q ) = Y, a eexecs*(vy. q <a(P^( a ) +P2(a))- By rearranging terms, 
we get e'(Cj) = pi(q) + Y, a e> execs- (vy. q <JP2( a ) + E(a, s )Pi(C QQS ))- By Lemma 3.30, the right side of 
the equation above is ^] a <a e{a), that is, e(C q ), as needed. □ 

Lemma 3.37 Let T = (V,RA,RS) be a closed task-PIOA. If e is a generalized probabilistic execution 
fragment generated by a measure p, then, for each task T, apply{e, T) is a generalized probabilistic 
execution fragment generated by p. 

Proof. Let a be a scheduler that, together with p, generates e (that is, e CT , M = e). Let e' be apply(e, T). 
Let a' be a new scheduler such that, for each finite execution fragment a, if e' '(C' a ) — p(C a — {a}) = 0, 
then a'(a)(tr) = 0, otherwise, 
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f T77t\ ^ r }d °(<x)(tr) + cr(a)(-L)) if tr G D(lstate(a)) and a<*(tr) G T, 

a'(a)(tr) - t e i Ca ) ~ ^i Ca ~ M) 

—— — _ - a (a)(tr) otherwise 

^ e'(C Q ) - ^(C Q - {a}) 

where D(lstate(a)) denotes the set of transitions of D with source state lstate(a) and act(tr) denotes 
the action that occurs in tr. We prove by induction on the length of a finite execution fragment a that 

For the base case, let a = q. By Lemma 3.18, e a ^(C q ) — fJ,(C q ) and e a '^(C q ) — fi(C q ). Thus, 
e a',n{C q ) — e a u{C q ). The right-hand-side is in turn equal to e(C (? ) by definition, which is equal to 
e'(C q ) by Lemma 3.36. Thus, e a '^(C q ) = c'(C q ), as needed. 

For the inductive step, let a = aaq. By Lemma 3.18 and Equation (1), the definition of the measure 
of a cone, we get 

e<r' ,ti{C a ) = H{C a ) + ^ / u ( a ') e <T',a'(C<i)Ma'(a)(a,g)- 
a' <a 

We know that a is enabled from lstate{a), because a is an execution fragment of V '. Thus, tra, a 
and fj,a,a are defined. By expanding Mo-'(a)( a J<z) i n the equation above, we get 

e<j', M (C a ) = (J,{C a ) + ^ V( a ') € <T' , ,a'(Ca)(T' '(a)(tra,a)Va,a{<l)- ( 2 ) 

a f <a 

We distinguish three cases. 

1. e / (C a )- M (C 5 -{a}) = 0. 

By inductive hypothesis, e<j< iM (Ca) = e'(Cs). Then by Lemma 3.20, e (7 ' 1 ^(C a ) = n(C a ). We show 
that e'(C a ) — fJ,(C a ), which suffices. 

By Lemma 3.33, e(Ca) < e'(Ca)- Thus, combining with e'(Ca) — /u(Ca — {<5}) = 0, we get 
e (Ca) — £*(Ca — l^}) ^ 0- O n the other hand, from Lemma 3.19, and from e = e CT . M , we derive 
e(C 5 ) - a*(C* 5 - {a}) > 0. Thus, e(C a ) - [i(C & - {a}) = 0. 

By Lemma 3.20, since e„ tfl — e and e(Ca) — /u(Ca — {a}) = 0, we get e(C Q ) = [i{C a ). 

By Lemma 3.33, since Cg — {a} is a union of cones, /i(Ca — {<*}) < e(C,s — {<5}). By adding 
e({a}) on both sides, we get fj,(Ca — {&}) + e({a}) < e(Ca — {a}) + e({a}) = e(Ca). Since 
e(Cs) = jU(Ca — {<3}), from the previous inequalities we derive e(Cg) + e({a}) < e(Cs), which 
implies e({a}) = 0. By Lemma 3.32, cases 2 and 3, e'(C a ) = e(C a ), which is equal to fj,(C a ), as 
needed. 

2. e'(C & ) - fj,(C & - {a}) > and a <£ T. 
By Equation (2) and by definition of a' , 

e<r'. M (C Q ) = /j(C q ) + V /u(a / )e (7 ', a '(Ca) ,^"> 77T 7^TrCT(a<)(ir 5 . a )/x a , a (g). 

a'<a i- j / 

Observe that in the sum above only the factors /x(a')e (T ' a '(Ca) are not constant with respect 
to the choice of a'. By Lemma 3.19 and algebraic manipulation, X) Q '<<s ^( a ') e (r',a'{C&) — 
e cr',/j(Ca) — m(C<5 — {**})■ By inductive hypothesis, e ff ^(Cs) = e'(C a ). Thus, by replacing 
^2a'<& / i ( a ') e T'.Q'(Ca) with e'(C a ) — //(Ca — {a}) and simplifying the resulting expression, we get 

e<7', M (Ca) = M(Ca) + (e(C a ) - M^a - {a})) <7(a)(* r 5,a)M jph 0)0 (?)- 
Since, by definition, e = e^, by Lemma 3.20, Part 2, the right side of the equation above is 
e(C a ). By Lemma 3.32, e(C a ) = e'(C a ). Thus, e <7 ',^(C Q ) = e'(C a ), as needed. 
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3. e'(C a ) - p(C a - {a}) > and a E T. 

By following the same approach as in the previous case, 

^', m (Cq) = m(C«) + ( e (Cfi) - M(Cs - {a}))(cr(a)(tr a , a ) + <r(a)(±))p & ^ a (q). 

Since, as shown in the previous case, e(C a ) — p(C a )+(e(Ca) — p(Ca — {&})) a (^)(tr al ~ ha a )Ha,a(q)> 
the equation above becomes 

ecr', M (C a ) = e(C a ) + (e(Ca) - m(C<s - {a})Ma)(-L)Ma,a(tf)- 

By replacing (e(Ca) — p{Ca — {a}))er(a)(_L) according to Lemma 3.21, and observing that, by 
definition, e = e afl , we get 

ecr', M (C a ) = e(C a ) + e(d)/i fi ,o(Q')- 
Then, the result follows by Lemma 3.32, Part 3. 

□ 

Lemma 3.38 Let T = (V , RA, RS) be a closed task-PIOA. For each probability measure p on finite ex- 
ecution fragments and each finite sequence of tasks p, apply(p, p) is a generalized probabilistic execution 
fragment generated by p. 

Proof. Simple inductive argument using Lemma 3.35 for the base case and Lemma 3.37 for the 
inductive step. □ 

Lemma 3.39 Let T = (V,RA,RS) be a closed task-PLOA. For each measure p on finite execution 
fragments and each infinite sequence of tasks p, apply(p, p) is a generalized probabilistic execution 
fragment generated by p. 

Proof. For each i > 0, let pi be the prefix of p consisting of the first i tasks of p, and let e* be 
apply(n, pi). By Lemmas 3.38 and 3.34 eo, ei, . . . is a chain of generalized probabilistic execution frag- 
ments generated by p. By Proposition 3.23, lim^oo e t is a generalized probabilistic execution fragment 
generated by p, which suffices since, by definition, apply [p , p) is lirm^oo Q. □ 

Now we can prove Proposition 3.40, our main target. It says that any probability measure on 
execution fragments that is generated by apply (p, p) for any p and p, is a "standard" probability 
measure on execution fragments — one that is generable from p using a traditional scheduler. 

Proposition 3.40 Let T = (V, RA, RS) be a closed task-PLOA. For each measure p on finite execution 
fragments and each sequence of tasks p, apply(p, p) is a generalized probabilistic execution fragment 
generated by p. 

Proof. Follows directly by Lemmas 3.38 and 3.39. □ 

Lemma 3.41 Let T = (V, RA, RS) be a closed task-PLOA. Let p\,Pi,- • • be a finite or infinite sequence 
of finite task schedulers and let p be a discrete probability measure on finite execution fragments. For 
each i > 0, let e, = apply(p, p\Qi ■ ■ ■ Pi), where pi,- ■ ■ Pi denotes the concatenation of the sequences p\ 
through pi. Let p be the concatenation of all the pi's, and let e — apply (p, p). Then the Ci's form a 
chain and e = lim^oo e^. 

Proof. The fact that the e»'s form a chain follows by Lemma 3.33. For the limit property, if the 
sequence pi,p2, ■ ■ ■ is finite, then the result is immediate. Otherwise, it is enough to observe that the 
sequence ei, 62, ... is a sub-sequence of the sequence used in the definition of apply(p, p\pi ■ ■ ■) that has 
the same limit. □ 
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A generalized probabilistic execution fragment of a closed task-PIOA T is any generalized probabilis- 
tic execution fragment of the underlying PIOA V that is generated from any p and any task scheduler 
p, as apply (p, p). If supp(p) is included in the set of states of V, then we call apply{p, p) a probabilistic 
execution fragment of T . Finally, for the start state q, we call apply{q, p) a probabilistic execution of T. 

Now we consider trace distributions of task-PIOAs. Namely, for any p and p, we write tdist(p, p) as 
shorthand for tdist(apply(p, p)). We write tdist(p) as shorthand for t dist( apply (q, p)), where q is the 
unique start state. A trace distribution of T is any tdist(p). We use tdists{T) for a closed task-PIOA 
T to denote the set {tdist(p) : pis a task scheduler forT}. 

3.3.4 Composition 

The systems in this paper are described as compositions of task-PIOAs. Here we show how to regard 
such a composition as a task-PIOA. 

Definition 3.42 To define composition of task-PIOAs, we need an additional compatibility requirement. 
Namely, we say that two task-PIOAs T\ = (V\ , RA\ , RS\ ) and T2 = (V%, RA2, RS2) are compatible 
provided that the following conditions are satisfied: 

1. The underlying automata V\ and V2 are compatible. 

2. For every task T\ of T\ and every task T2 of ' T2, either T\ = T2 or T\ n T2 = 0. 

Then we define the composition T = (V, RA, RS) of two compatible task-PIOAs T\ — ("Pi, RA\, RS\) 
and 72 = (V2, RA2, RS2), denoted by T1WT2, as follows: 

• V = Vi\\V 2 . 

• RA is RAi U RA 2 . 

• RS is the equivalence relation defined as follows: q =rs l' iff ll'Pi =RS t Q'l'Pi f or every i G {1,2}. 
We sometimes write q\% to denote q\Vi for i e {0, 1}. 

Proposition 3.43 Ti||T 2 is a task-PIOA. 

Proof. We must show that T\\T2 satifies the consistency properties 1-4 in the definition of a task- 
PIOA. 

1. Next-action determinism: Let (q\, (72) be a state of T^i | j 7- 7 2 and T an output or internal task in RA. 
Then T is an output or internal task of one of the two components, without loss of generality, of 
V\ . By next-action determinism of T\ , at most one action a € T is enabled in qi , and hence at 
most that same action a is enabled in (91, (72)- 

2. Random-choice consistency: Let ((qi, q%), a, Pi x p 2 ) be a transition of V\\V<i- Consider each 
i = 1,2: If a is an action of Vi, then (qi,a,pi) is a transition of Vi- Then by random-choice 
consistency of %, supp(pi) C Si for some Si £ RSi. On the other hand, if a is not an action of 
Vi, then supp(pi) is just {qi}, which trivially is a subset of Si for some Si G RSi. 

Now, supp{p\ x P2) — supp(pi) x supp{p2) C S\ x S2. By definition of RS in terms of RS\ and 
-R52, Si x S2 € RS, so this yields the conclusion. 

3. Transition consistency: Suppose that {{q\, q\), a , p\ x p\) and {{qi,q2),a 2 ,p\ x p\) are two 
transitions of V\ x V2 and suppose that (gi,^) — RS (9i;9l) an d fll — JM ° 2 - Then q\ —RSx q\ 
and q\ = RS2 q\. 

Consider each i — 1,2: If a 1 is an action of Vi, then since a 1 = R a a 2 , and by definition of the 
tasks of 7i j j T 2 and compatibility, a 2 is also an action of Vi. Then (<j£,a 1 ,//J) and (q 2 ,a 2 ,pf) are 



25 

Preliminary version - August 19, 2005 



both transitions of V%. Then by transition consistency of Vi, supp{fx\) U supp(fif) C Si for some 
Si £ RSi. 

On the other hand, if a\ is not an action of Vi, then neither is a 2 . In this case, supp(^ij) is just q\ 
and supp(nl) is g 2 ; since gj =hs 4 qj , there again exists a single equivalence class Si £ RSi such 
that supp(fij) U supp(fif) C Si. 

Now, supp(/i* x ^2) = *wpp(/Uj) x supp([i\) C Si x S2, and similarly supp(n\ x zz 2 .) = supp{[i\) x 
supp{ii\) C Si x S2, So, supp(/i;[ x /X2) U supp{[i\ x [i\)subseteqS\ x S2. Since Si x S2 € -RS, this 
yields the conclusion. 

4. Enabling consistency: Suppose that ((Zi,^) — -RS (ffi)?!)' fll i s an output or internal action of 
P1IIP2, and ((q\, q\),a l , [i\ x [i\) is a transition of V\\\V2- Then o 1 is an output or internal action 
of one of the two component automata, without loss of generality, of V\. Then q\ =_rsi Qi and 
{q\,a , /j,\) is a transition of V\ Then by enabling consistency for T\, there exists a transition 
(g 2 ,a 2 ,/i 2 ) of Pi such that a 1 =ra a 2 . 

Now, if a 2 is an action of V2, then it must be an input, and so is enabled from all states. Therefore, 
in this case, there exists a transition (q 2 , a 2 , /z 2 ,) of Pi. Then ((g 2 , g 2 ), a 2 , /1 2 x /i|) is a transition 
of Pi|| V2, as needed. 

On the other hand, if a 2 is not an action of P2, then ((q 2 , q 2 ), a 2 , /i 2 x /i|) is a transition of Pi ||P2, 
where /1 2 , is the Dirac distribution <5(<? 2 ). Either way, we have the needed transition. 

□ 

3.3.5 Hiding 

We define a hiding operation for task-PIOAs, which hides output tasks. 

Definition 3.44 Let T = (P, RA, RS) be a task-PIOA where V = (Q, g, 7, O, H, D), and let U £ RA 
be a set of output tasks. Let S = UxeuT, that is, S is the set of actions in all the tasks in hi. Then we 
define hide(T ,U) to be (hide(V ', S) , RA, RS) . 

3.3.6 Environments 

We define the notion of environment as follows. 

Definition 3.45 Suppose T and £ are task-PLOAs. We say that £ is an environment for T iff £ is 
compatible with T , T\\£ is closed and £ has a special output action named accept. 

The special accept output action is used by the environment to distinguish between different task- 
PIOAs. 

The following lemma about the existence of environments will be useful later, for example, in the 
proof of Lemma 3.61, which asserts the transitivity property of our time-bounded implementation 
notion. It says that, if a set of task PIOAs {7"i, • • • , T n } and U are comparable task-PIOAs and £ is an 
environment for every %, then £ can be transformed into an environment £' for both every % and hi 
through some renaming of the actions of £ which does not modify its way of interacting with the 7i's. 

Lemma 3.46 Suppose T\, . . . , T n , hi and £ are task-PLOAs, all % 's and hi are comparable, and £ is 
an environment for every %. Then there exists a task-PLOA £' that is isomorphic to £, such that £' is 
an environment for every % and hi; this isomorphism preserves all external actions of £ . 

Proof. We define an environment £' by using a bijective renaming function / : Ag — > As> that 
preserves the partition into input, output and internal actions. For simplicity, we assume that, if 
/(a) 7^ a, then /(a) ^ Ui=i n ^Ti U An U Ag. We also write Lj- and Oq- instead of Lj-. and O^, as all 
7~i have the same inputs and outputs. 
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The isomorphism condition implies that the renaming function / is the identity for all actions in 
(Is n Ot) U {Og U It): it does not alter the communication between the % and £ in any way. 

If we check the properties guaranteed by the fact that hi is comparable to every %, we may observe 
that £ is an environment for hi if Hy n Ag = 0. Respecting this condition might require renaming all 
actions of £. This is however not the case, as Hu H ((Is fl Ot) U (Of ("1 It)) = since W is comparable to 
every % and the internal actions of hi are disjoint from its input and output actions. So, renaming all 
actions of £ which are internal actions of hi will never require to violate the restriction on / we stated 
in the last paragraph. □ 

3.3.7 Implementation 

Our notion of implementation for task-PIOAs is based on probabilistic executions that look the same 
to any environment for the PIOAs. This notion of implementation makes sense only for comparable 
task-PIOAs. 

Definition 3.47 Two task-PIOAs (P 1 ,RA 1 ,RSi) and (V 2 , RA 2 , RS 2 ) are comparable if: 

1. V\ and V 2 are compatible (have the same external signature) . 

2. RA\ and RA 2 contain exactly the same external tasks. 

We now define the ^-implementation notion for task-PIOAs. 

Definition 3.48 Suppose T\ and T 2 are two task-PIOAs. We say that T\ <o T 2 provided that, for 
every environment £ for both 7\ and T 2 , tdists(T\\\£) C tdists(T 2 \\£). 

3.3.8 Simulation Relations 

We now present our new simulation relation definition. Our definition differs from previous definitions 
for simulation relations for PIOAs, for example, those in [Segala95], in that it relates two distributions 
on states, rather than two states, or a state and a distribution. Also, our definition uses the task 
structure. 

Like other definitions for simulations for PIOAs, our new definition includes a start condition and 
a step condition. However, our step condition is not the most obvious: Starting from two distributions 
ei and e 2 , where ei R e 2 , we end up with two distributions e\ and e' 2 . We do not require that e[ R 
e' 2 ; instead, we require that e^ and e 2 be decomposable into related distributions. To describe this 
decomposition, we use the expansion notion defined in Section 3.1.2. 

Definition 3.49 let T x = (V\, RA X , RS X ) and V 2 = (V 2 ,RA 2 ,RS 2 ) be two closed task-PIOAs. let R 
be a relation on discrete distributions over finite execution fragments such that, if t\ R e 2 then 

• tdist(ei) — tdist(e 2 ). 

• there exist equivalence classes Si G RSi and S 2 G RS 2 such that supp(lstate(ei)) C Si and 
supp(lstate(e 2 )) C S 2 . 

Then we say that R is a simulation relation from T\ to T 2 if it satisfies the following properties: 

1. Start condition: S(qi) RS(q 2 ). 

2. Step condition: There exists a mapping corrtasks : (RSi x RAi) — ► RA 2 * such that the fol- 
lowing holds: If ei R e 2 and T is a task ofTi, then d x £(R) ^ 2 , where e[ — apply(ei,T) and 
e 2 = apply(e 2 ,corrtasks([lstate(ei)],T)). 1 



lr That is, we apply the corrtasks function to the unique equivalence class of all the final states of the execution 
fragments in e\. 
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The following lemma gives a simple consequence of our simulation relation definition. The definition 
of a simulation relation says that any two i?-related state distributions must have the same trace 
distribution. This lemma extends this property by saying that any pair of state distributions that are 
related by the expansion of the relation R, £{R), must also have the same trace distribution. (For the 
proof, the only property of simulation relations that we need is that related state distributions have the 
same trace distribution.) 

Lemma 3.50 Let T\ and Ti be two closed task-PIOAs, R a simulation from 7{ to 7~2. Let ei and £2 be 
discrete distributions on finite execution fragments of T\ and T~2, respectively, such that ei £{R) £2- 
Then tdist(ei) — tdist(c2)- 

Proof. Let r/1,772 and w be the measures and weighting functions used to prove that £1 £(R) £2- 
Since £1 = flatten(r]i), tdist{ei) = J2 P esuppfn ) Vi(Pi) tdist(pi). Since w is a weighting function, we can 
rewrite the expression on the right as J2 Pl esu P p( m ) J2 P2 esu PP ( V2 ) w (Pi, P2) tdist(pi). Since p x R p 2 when- 
ever w(pi, P2) > 0, and since, by the definition of a simulation relation, tdist(pi) — tdist{p2) whenever 
pi R p 2 , we can replace tdist(pi) by tdist(p 2 ). Thus, tdist{a) = Y, Pl esu PP ( m ) T, P2 esupp(r, 2 ) w(pi,p 2 ) tdist(p 2 ). 
By exchanging sums, this last expression is equal to Y. P2 esu PP (r, 2 ) Jl Pl esu PP { Vl ) w (PuP2) tdist(p 2 ). 

Now, since w is a weighting function, we can simplify the inner sum, thus getting tdist(ei) = 
^2p 2 €supp(ri 2 ) f l2.{p2) tdist(p2)- Since £2 = flatten^), the right-hand side can be rewritten as tdist{t2)- 
Thus, tdist(ei) — tdistfa), as needed. □ 

We now prove Theorem 3.52, which asserts that simulation relations are sound for showing inclusion 
of sets of trace distributions. We first give a lemma that provides the inductive step that we need for 
the proof of the main theorem. 

Lemma 3.51 Let T\ and T2 be two closed task-PLOAs, let R be a simulation relation from T\ to T2, 

and let corrtasks be a mapping that satisfies the conditions required for a simulation relation. 

Let pi and P2 be finite task schedulers of T\ and T2 respectively. Let ei = apply (5 (q~i), pi) and £2 = 

apply (5 (92)) P2) be the respective discrete distributions on finite executions ofli andT~2 generated by pi 

and p2- Suppose that ei £(R) e 2 . 

LetT be a task oj 'T\. Lete^ — apply (6(q~i),piT) and let e 2 — apply(6(q~2), P2 corrtasks([lstate(ei)],T)) 2 

Then e[ £{R) e' 2 . 

Proof. Let 771 , 772 and w be the measures and weighting function that "prove" £1 £{R) £2- Observe 
that e[ — apply(ei,T) and e 2 — apply{e2 1 corrtasks([lstate(ei)],T)). Recall that by Lemma 3.29, there 
is a single class S such that supp(lstate(ei)) C 5. 

We apply Lemma 3.5: Define the function / on discrete distributions on finite execution fragments 
of 71 by f(e) = apply (e, T), and the function g on discrete distributions on finite execution fragments of 
1~2 by g(e) = apply{e 1 corrtasks{[lstate{ei)] 1 T)). We show that the hypothesis of Lemma 3.5 is satisfied, 
which implies that, by Lemma 3.5, e[ £{R) £ 2 , as needed. 

Let P11P2 be two measures such that w(pi,pz) > 0. We must show that f(pi) £{R) g{p2)- Since 
w is a weighting function for ei £{R) £2, P\ R P2- By the step condition for R, apply(pi,T) £{R) 
apply(p2, corrtasks([lstate(pi)],T)). 

Observe that apply{pi,T) — f{pi). We show that apply(p2, corrtasks([lstate(pi)],T)) — g{p2), 
which yields f(pi) £{R) g{p2)- For this purpose, by definition of g, it suffices to show that [Istate(pi)] = 
[lstate(ei)]. Since £1 = flatten(j]i), and since, by the fact that w(pi,p2) > 0, rji(pi) > 0, supp(pi) C 
supp(ci). Thus, [Istate(pi)] = [Istate(ei)], as needed. □ 

The following theorem, Theorem 3.52, is the main soundness result. The proof simply puts the 
pieces together, using only Lemmas 3.41 (which says that the probabilistic execution generated by an 
infinite task scheduler can be seen as the limit of the probabilistic executions generated by some of the 
finite prefixes of the task scheduler), 3.51 (the step condition), 3.50 (related probabilistic executions 
have the same trace distribution), and 3.15 (limit commutes with tdist). 



2 Lcmma 3.29 implies that there is a single equivalence class S such that supp(lstate(ei)) C S. Thus, e' 2 is well defined 
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Theorem 3.52 Let T\ and T2 be two closed task-PIOAs. If there exists a simulation relation from T\ 
to 72, then tdists{T~i) C tdists(T2). 

Proof. Let R be the assumed simulation relation from 7i to 7^. Let t\ be the probabilistic execution 
of 71 generated by q~\ and a (finite or infinite) task scheduler, Ti,72, • • • . For each i > 0, define pi to 
be corrtasks([lstate(apply(qi,Ti ■ ■ ■ Tj_i))], Tj). Let e2 be the probabilistic execution generated by q~2 
and the concatenation P1P2 • • • • We claim that tdist{e\) = tdistfa), which suffices. 

For each j > 0, let e\_j — apply (q±, T\ ■ ■ ■ Tj), and e2,j = apply(q~2, Pi • • • pj)- By Lemma 3.41, for 
each j > 0, e\j < ei,j+i and e 2j < €2.3+1, and furthermore, lim^oo eij = e x and lim^oo £2 j = £2- 
Also, note that for every j > 0, apply(ei i j,Tj + i) = £i,j+i and apply {e 2 : j, Pj+i) = £2,3+1- 

Observe that €1,0 = <5(<7i) and C2,o = ^(92)- By the start condition for a simulation relation and a 
trivial expansion, we see that ei.o £{R) £2,0- Then by induction, using Lemma 3.51 for the inductive 
step, for each j > 0, eij £{R) £2j- Then, by Lemma 3.50, for each j > 0, tdist(e\j) = tdistfaj) . By 
Lemma 3.15, tdist(e\) = lim^oo tdist(e± t j), and tdist(t2) = limj->oo tdist(e2 y j) ■ Since for each j > 0, 
tdist{ei j) — tdist(e2j), we conclude tdist(ei) = tdist(e 2 ), as needed. □ 

In order to use our implementation results in a setting involving polynomial time bounds, we need a 
slight variant of Theorem 3.52. This variant assumes a constant bound on the lengths of the corrtasks 
sequences, and guarantees a bound on the ratio of the sizes of the high-level and low-level task schedulers. 

Theorem 3.53 Let T\ and T2 be two closed task-PIOAs, and c € N. Suppose there exists a simulation 
relation from T\ to T2, for which \corrtasks{S, T)\ < c for every S and T. 

If t is a trace distribution of T\ that is generated by a task scheduler p\, then r is also generated by 
some task scheduler p2 for T2, with \p2\ < c\p\\. 

Proof. By examination of the proof of the proof of Theorem 3.52. □ 

The proofs presented in Sections 9-12 use a special case of the simulation relation definition, which 
we describe here. 

Lemma 3.54 Let T x = (T> 1 ,RA 1 ,RS 1 ) and V 2 = (V 2 , RA 2 , RS 2 ) be two closed task-PIOAs. Let R 
be a relation from discrete measures on finite execution fragments of T\ to discrete measures on finite 
execution fragments ofT2 such that, if e\Rt2 then 

• tdist(ei) = tdist(t2)- 

• there exists equivalence classes S\ G RSi and S2 € RS2 such that supp{lstate{ei)) C S\ and 
supp(lstate(e2)) C S2. 

Suppose further that the following conditions hold: 

1. Start condition: 6(q~i) R5{q2)- 

2. Step condition: There exists a mapping corrtasks : {RS\ x RA\) — * RA2* such that, if e\Re2 
and T is a task ofT\ that is enabled in supp(lstate(ei)) , then there exist 

• a probability measure p on a countable index set I , 

• probability measures e' l7 -, j G /, on finite execution fragments ofVi, and 

• probability measures e' 2 j, j G /, on finite execution fragments ofT'2, 

such that: 

• for each j G /, e'^Re^j, 

• Eje/P(J)( e ij) = apply{ei,T), and 

• Sj£/P(i)( e 2j) = apply{e 2 ,corrtasks{[lstate{e 1 )],T)). 

Then R is a simulation relation from Ti to 7~2. 

Proof. Straightforward, by Lemma 3.4. The additional enabling condition for T added here is not a 
serious restriction: for each non-enabled task T, we can make corrtasks = A. □ 
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3.4 Time-Bounded Task-PIOAs 

In this section, we impose time bounds on task-PIOAs. We will use this in the next section to define 
polynomial-time-bounded task-PIOAs. 

3.4.1 Time-Bounded Task-PIOAs 

We assume a standard bit-string representation scheme for actions and tasks, which is the same for all 
task-PIOAs that have these actions and tasks. We write (a) for the representation of action a, and (T) 
for the representation of task T. 

Definition 3.55 Task-PIOA T is said to be 6-time-bounded, where 6 £ R- , provided that: 

1. Automaton parts: Every state q, transition tr, and state equivalence class S has a bit-string 
representation, which we denote by (q), (tr), and (S), respectively. The length of the bit-string 
representation of every action, state, transition, task, and state equivalence class of T is at most 
b. 

2. Decoding: There is a deterministic Turing machine that, given the representation of a candidate 
state q, decides whether q is a state of T , and always runs in time at most b. Also, there is a 
deterministic Turing machine that, given the representation of a candidate state q, decides whether 
q is the unique start state of T . Similarly for a candidate input action, output action, internal 
action, transition, input task, output task, internal task, or state equivalence class. Also, there is 
a deterministic Turing machine that, given the representation of two candidate actions a\ and a-i, 
decides whether (01,02) £ RA, and always runs in time at most b; similarly for the representation 
of two candidate states q\ and q2 and RS . Also, there is a deterministic Turing machine that, 
given the representation of an action a of T and a task T , decides whether a £ T; again, this 
machine runs in time b. 

3. Determining the next action: There is a deterministic Turing machine M act that, given the 
representation of a state q of T and the representation of an output or internal task T of T , 
produces the representation of the unique action a in task T that is enabled in q if one exists, and 
otherwise produces a special "no-action" indicator. Moreover, M act always runs in time at most 
b. 

4- Determining the next state: There is a probabilistic Turing machine M sta te that, given the 
representation of a state q of T , and the representation of an action a of T that is enabled in q, 
produces the representation of the next state resulting from the unique transition of T of the form 
(q,a,/j). Moreover, M state always runs in time at most b. 

Moreover, we require that every Turing machine mentioned in this definition can be described using 
a bit string of length at most b, according to some standard encoding of Turing machines. 

In the rest of this paper, we will not explicitly distinguish (x) from x. 

3.4.2 Composition 

We have already defined composition for task-PIOAs. Now we show that the composition of two time- 
bounded task-PIOAs is also time-bounded, with a bound that is simply related to the bounds for the 
two components. 

Lemma 3.56 There exists a constant c such that the following holds. Suppose T\ is a b\ -time-bounded 
task-PIOA and T2 is a b^-time-bounded task-PIOA, where 61, 62 > 1- Then T1WT2 * s a. 0(61 + 62) -bounded 
task-PIOA. 

Proof. We describe how the different bounds of Def. 3.55 combine when we compose T\ and T<i- 
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1. Automaton parts: Every action or task of T1WT2 has a standard representation, which is the 
same as its representation in T[ or T 2 . The length of this representation is, therefore, at most 
max(6i,6 2 ). 

Every state of T\\\T 2 can be represented with a 2(6i + 62) + 2 < 3(6i + &2)-bit string, by following 
each bit of the bit-string representations of the states of 7[ and T 2 with a zero, and then concate- 
nating the results, separating them with the string 11. Likewise, every transition of 7i||72 can be 
represented as a 3(6i + &2)-bit string, by combining the representations of transitions of one or 
both of the component automata, and every state equivalence class of Ti\\T 2 can be represented 
as a 3(6i + 6 2 )-bit string, by combining the representations of state equivalence classes of both 
automata. 

2. Decoding: It is possible to decide whether a candidate state q — ((71,92) is a state of 7i||T2 by 
checking if q\ is a state of T\ and q 2 is a state of T2 . Similar verifications can be carried out for 
candidate start states and for candidate state equivalence classes. 

It is possible to decide if a candidate input action is an input action of 7i||72 by checking if it 
is an input action of 7\ or 72 but not an output action of 7i or 7^. It is possible to decide if a 
candidate internal (resp. output) action is an internal (resp. output) action of 7i||72 by checking 
if it is an internal (resp. output) action of 7\ or T 2 . A similar verification can be carried out for 
input, internal and output tasks. 

Given two candidate actions a\ and a 2 of Ti\\T 2 , it is possible to decide whether (ai, 02) G RA-j-avtz 
by checking if (01,02) G RAq- t or (01,02) G RAq- 2 . Given two candidate states q and q' of 
7i||72, it is possible to decide whether (q,q') G i?SVi||T 2 by checking if (q\Ti,q'\T\) G RSr^ and 
{q\T 2 ,q'\T 2 ) G RSr 2 (this restriction notation is defined after Definition 3.42). Also, given an 
action a of 7~i\\T 2 and a task T of 7jJ|72, it is possible to decide whether a G T by determining a 
component automaton % that has T as a task and using the procedure assumed for % to check 
whether a G 7~. 

All these verifications can be done in time 0(61 + 62). 

3. Determining the next action: Assume M act \ and M act2 are the deterministic Turing machines 
described in part 3 of Dcf. 3.55 for 71 and T 2 respectively. We define M act for %_\\T 2 as the 
deterministic Turing machine that, given state q = (gi, q 2 ) of Ti\\T 2 where q\ — q\T\ and q 2 = g[72 
and task T, outputs: 

• The action (or "no-action" indicator) that is output by M act i(qi,T), if T is an output or 
internal task of T\ . 

• The action (or "no-action" indicator) that is output by M act2 (q 2 ,T) if T is an output or 
internal task of T 2 . 

M act always operates within time 0(61 + 62): this time is sufficient to determine whether T is an 
output or internal task of 7~i or T 2 , to extract the needed part of q to supply to M act i or M act2 , 
and to run M actl or M act2 . 

4. Determining the next state: Assume M sta tei and M sta te2 are the probabilistic Turing machines 
described in part 4 of Dcf. 3.55 for 7i and T 2 respectively. We define M sta te for 7]_\\T 2 as the 
probabilistic Turing machine that, given state q = (01,02) of Ti\\T 2 where qi = g[7i and q 2 = g[72 
and action o, outputs the next state of Ti\\T 2 as q' = (01,02)1 where q[ is the next state of Ti and 
q 2 is the next state of T 2 . The state q' is computed as follows: 

• If a is an action of 7\ then q[ is the output of M state i(qi, a), while q[ — qi otherwise. 

• If a is an action of T 2 then q 2 is the output of M sta te2(Q2, «), while q 2 = q2 otherwise. 

M s tate always operates within time 0(6i + 62): this time is sufficient to determine whether a is 
an action of 7i and/or T 2 , to extract the needed parts of q to supply to M act \ and/or M act2 , and 
to run M s tatei and/or M state2 . 
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Using standard Turing machine encodings, each of the needed Turing machines can be reprsented using 
0(bi + 6 2 ) bits. □ 

For the rest of the paper, we fix some constant c comp satisfying the conditions of Lemma 3.56. 

3.4.3 Hiding 

Lemma 3.57 There exists a constant c such that the following holds. Suppose 7" is a b -time-bounded 
task-PIOA, where b G R-°, b > 1. Let hi be a subset of the set of output tasks of T , where \hi\ < d . 
Then hide(T ,U) is a c(d + l)b-time-bounded task-PIOA. 

Proof. All properties for hide(T,hi) are straightforward to check, except for the following. 

1. Output actions: To check whether a given action a is an output action of hide(T,hi), we use 
the fact that a is an output action of hide(T,hi) if and only if a is an output of 7" and is not in 
any task in hi. So, to determine whether a is an output of hide(T,U), we can use the procedure 
for checking whether a is an output of 7", followed by checking whether a is in each task in hi. 

2. Internal actions: To check whether a given action a is an internal action of hide(T,hi), we use 
the fact that a is an internal action of hide(T,U) if and only if a is an internal action of 7" or a 
is in some task in hi. So, to determine whether a is an internal action of hide(T,hi), we can use 
the procedure for checking whether a is an internal action of 7", followed by checking whether a 
is in each task in hi. 

3. Output tasks: To check whether a given task T is an output task of hide(T,hi), we use the fact 
that T is an output task of hide(T ,tl) if and only if T is an output task of 7" and T ^ hi. So, 
to determine whether T is an output task of hide(T,hi), we can use the procedure for checking 
whether T is an output task of 7~, followed by comparing T with each task in hi. Each of these 
comparisons takes time proportional to b, which is a bound on the length of the tasks of T. 

4. Internal tasks: To check whether a given task T is an internal task of hide(T,hi), we use the 
fact that T is an internal task of hide(T,hi) if and only if T is an internal task of 7~ or T <G hi. So, 
to determine whether T is an internal task of hide(T,hi), we can use the procedure for checking 
whether T is an internal task of 7", followed by comparing T with each task in hi. Again, each of 
these comparisons takes time proportional to b which is a bound on the length of the tasks of T. 

In all cases, the total time is proportional to (c' + 1)6. Using standard Turing machine encodings, each 
of the needed Turing machines can be represented using 0(b\ + 62) bits. □ 

For the rest of this paper, we fix some constant Chide satisfying the conditions of Lemma 3.57. 

3.4.4 Time-Bounded Task Scheduler 

Definition 3.58 Let p be a task scheduler for closed task-PIOA T, and let b G N. Then we say that p 
is 6-time-bounded if \p\ < b, that is, if the number of tasks in the task scheduler p is at most b. 

3.4.5 Implementation 

In Section 3.3.7, we defined an implementation relation <o for task-PIOAs. Informally speaking, for 
task-PIOAs 71 and 72, 71 <o Ti means that 71 "looks the same" as 72, to any environment £. Here, 
"looking the same" means that any trace distribution of T\\\£ is also a trace distribution of Ti\£. 

Now we define another implementation relation, < e fi,b! ,6 2 i f° r task-PIOAs that allows some dis- 
crepancies in the trace distributions and also takes time bounds into account. Informally speaking, 
T\ <e, 6,61 ,6 2 ^2 means that 71 "looks almost the same" as task-PIOA T2 to any 6-time-bounded envi- 
ronment £. The subscripts 61 and 62 in the relation < ei 6,6 1 ,h 2 represent time bounds on task schedulers. 
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Namely, in the definition of < e ,6,6i,& 2 , we assume that scheduling in T\\\£ is controlled by a 6i-timc- 
bounded task scheduler, and require that scheduling in T2\\£ be controlled by a 62-bounded task sched- 
uler. The fact that these task-PIOAs look "almost the same" is observed through the special accept 
output of £: 

Definition 3.59 If T is a closed task-PIOA and p is a task scheduler for T , then we define 

Paccept(T ', p) — Pr[/3 <— tdist(T , p) : (3 contains accept], 

that is, the probability that a trace chosen randomly from the trace distribution generated by p contains 
the accept output action. 

Definition 3.60 Suppose T\ and T 2 are comparable task-PIOAs, e, b G R-°, and 61,62 £ N. Then we 
say that T~\ <£,&,(>! ,& 2 Th. provided that, for every b-time-bounded environment £ for both T\ and T 2 , and 
for every b\-time-bounded task scheduler p\ for Ti\\£, there is a b2-time-bounded task scheduler p 2 for 
Th,\\£ such that 

\ P accept (Ti\\ £, pi) — Paccept{T2\\£ , p 2 )\ < £■ 

A useful property of the < e .fc,6 1 .6 2 relation is that it is transitive: 

Lemma 3.61 Suppose T\, T2 and T 3 are three comparable task-PIOAs such that T\ <e 12 ,b,b x .b 2 ^2 and 
% <e 23 ,6,fc 2 ,6 3 1~ 3 , where e, b G R-° and 61, 62, 63 G N. 

Then T x < €l2+e23 ^MM %■ 

Proof. Fix 7i, T 2 , T 3 and all the constants as in the hypotheses. Consider any 6-time-bounded 
environment £ for T[ and T 3 . We must show that, for every 61-time-bounded task scheduler p\ for T\, 
there is a 63-time-bounded task scheduler p 3 for T 3 such that 

\Paccept(Ti\\£,pi) - Paccept(T 3 \\£ , p 3 )\ < e 12 + e 23 . 

Fix p\ to be any 61-time-bounded task scheduler for T\. We consider two cases. 

First, suppose that £ is also an environment for 7^>. Then, since T\ <e 12 ,6,6 1 ,6 2 T 2 , we know that 
there is a 62-time-bounded task scheduler p2 for T^ljf such that 

\Paccept(Ti\\£ , pi) - Paccept(T 2 \\£ , p 2 )\ < £12- 

Then since T 2 < e23 ,b.b 2 ,b 3 1~ 3 , we may conclude that there is a 63-timc-boundcd task scheduler p 3 for 
T 3 \\£ such that 

\Paccept(T 2 \\£ , p 2 ) - P accept (T 3 \\£,p 3 )\ < e 23 . 

Combining these two properties, we obtain that: 

\Paccept(Ti\\£,pi) - P accept (T 3 \\£ , p 3 )\ 

< \Paccept(Ti\\£ , pi) - Paccept(T 2 \\£, p 2 )}\ 
+ \Paccept(T 2 \\£ , p 2 ) - Paccept(T 3 \\£ , p 3 )]\ 

< £12 + £23j 

as needed. 

Second, consider the case where £ is not an environment for 7^. Then by Lemma 3.46, we obtain 
another environment £' for Ti, T 2 , and T 3 , such that £\\T\ is isomorphic to £' \\T\ and £\\T 3 is isomorphic 
to £' \T 3 - We then apply case 1 to £' , obtaining a 63-time-bounded task scheduler p 3 for T 3 such that 

\Paccept{T x \£' ,p{) - Paccept(T 3 \\£' ,p 3 )\ < e 12 + e 23 . 

The isomorphism implies that 

P accept (Ti\\£,pi) = P accept (7~i\\£' , pi) 
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and 

Paccept(T 3 \\£,p 3 ) = Paccept(T 3 \\£', p 3 ). 

Therefore, 

\P accept (Ti\\£ , pi) — Paccept(7^||5,/9 3 )| 

= |Poccept(71||f',pi) - Paccepi (7^ ||£',p 3 )| 

< 612 + £23 j 

as needed. □ 

Another useful property of the < e .&,&i.fc 2 relation is that, under certain conditions, it is preserved 
under composition: 

Lemma 3.62 Suppose e,b,b 3 G R-°, and 61,62 € N. Suppose that 71, 72 are comparable task-PIOAs 
such that 71 < e ,c com (&+6 3 ),6i,6 2 Ti- Suppose that T 3 is a b 3 -time-bounded task-PIOA that is compatible 
with both 71 and T 2 ■ 
Then Ti\\T 3 <^ h .b u b 2 T 2 \\T 3 - 

Proof. Fix 71, T2 and T 3 and all the constants as in the hypotheses. Consider any 6-time-boundcd 
environment £ for Ti\\T 3 and T 2 \\T 3 . We must show that, for every 61-time-bounded task scheduler p\ 
for 7i||73, there is a 62-time-bounded task scheduler p 2 for 72\\T 3 such that 

\Paccept(Ti\\T 3 \\£,pi) - Paccept(T 2 \\T 3 \\£ , p 2 )\ < e. 

To show this, fix p\ to be any 61-time-bounded task scheduler for 71||73. The composition T 3 \\£ is 
an environment for 7{ and T 2 . Moreover, Lemma 3.56 implies that T 3 \\£ is c comp (b+ 63)-time-bounded. 

Since 71 < e]Ceom (6+63), 61, 6 2 ^ 1~ 3 \\£ is a c comp {b + 63)-time-bounded environment for 71 and T 2j 
and p\ is a 61-time-bounded task scheduler for 71||£, we know that there is a 62-time-bounded task 
scheduler p 2 for T 2 \\£ such that 

\Paccept(Ti\\T 3 \\£,pi) - Paccept(T 2 \\T 3 \\£ , p 2 )\ < e. 

This is as needed. □ 

One last interesting property of our <e,6,6i,6 2 relation is that it is preserved when hiding output 
actions of the related task-PIOAs: 

Lemma 3.63 Suppose e, 6 £ R-°, and 61,62 € N. Suppose thatT\, T 2 are comparable task-PIOAs such 
that 71 < c .b,bi.b 2 T 2 . Suppose also that hi is a set of output tasks of both 71 and T 2 . 
Then hide(Ti,U) < c ,&,&i, & 2 hide(7~ 2 ,U). 

Proof. This follows from the fact that every 6-bounded environment for hide(T~i,lA) and hide(T 2l lA) 
is also a 6-bounded environment for 71 and T 2 . □ 

3.4.6 Simulation Relations 

The simulation relation we defined in Section 3.3.8 can be applied to time-bounded task-PIOAs. We 
obtain the following additional soundness theorem: 

Theorem 3.64 Let 71 and T 2 be two comparable task-PIOAs, 6 G R-°, and c,b\ G N. Suppose that, 
for every b-bounded environment £ for 71 and T 2 , there exists a simulation relation from T\\\£ to T 2 \\£ , 
for which \corrtasks{S,T)\ < c for every S and T. 
Then 71 <o,&,6i,c&i %■ 

Proof. By Theorem 3.53 and the definition of our new implementation relationship. □ 
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3.5 Task-PIOA Families 

Here we define families of task-PIOAs, and define what it means for a family of task-PIOAs to be 
time-bounded by a function of the index of the family. 

3.5.1 Basic Definitions 

A task-PIOA family, T, is an indexed set, {Tk}keN> °f task-PIOAs. A task-PIOA family T = {Tk]k£H 
is said to be closed provided that, for every k, Tk is closed. 

Two task-PIOA families T± — {(T)k}keN and T 2 = {(T 2 )k}keN are said to be comparable provided 
that, for every k, {T)k and (T 2 )k are comparable. 

Two task-PIOA families 7~i = {(T)k}keN and T 2 = {(T 2 )k}keN are said to be compatible pro- 
vided that, for every k, ("7i)fc and (T 2 )k are compatible. Two compatible task-PIOA families T\ = 
{(7i)k}keN and T 2 = {(T 2 ) k } keN can be composed to yield T = {(T) fe } feeN = T 1 \\T 2 by defining 
(T) fc = (Ti) fc ||(7i) fc for every k. 

Definition 3.65 A task-set family for a task-PIOA family T = {7k}keN is an indexed set, hi = 
{Uk}keN, where each hik is a set of tasks of Tk- We say that hi is an output-task-set family if each hik 
is a set of output tasks of Tk- 

If T is a task-PIOA family and hi is an output-task- set family for T, then we define hide(T ,hi) to 
be the family (hide(Tk,hik))keN- 

A task- scheduler family p for a closed task-PIOA family T = {Tc}keN is an indexed set, {pk}keN of 
task schedulers, where pk is a task scheduler for Tk- 

3.5.2 Time-Bounded Task-PIOA Families 

Definition 3.66 The task-PIOA family T = {Tc}k<£N is said to be 6-time-bounded (or non-uniformly 
6-time bounded,), where b : N — > R-°, provided that Tk is b(k)-time bounded for every k. 

This definition allows different Turing machines to be used for each k. In some situations, we will 
add a uniformity condition requiring the same Turing machines to be used for all task-PIOAs of the 
family; these machines receive k as an auxiliary input. 

Definition 3.67 The task-PIOA family T = {Tk}keN is said to be uniformly &-time-bounded, where 
b : N -> R^°, provided that: 

1. Tk is b(k) -bounded for every k. 

2. There is a deterministic Turing machine that, given k and a candidate state q, decides whether 
q is a state of Tk, and always runs in time at most b(k). Similarly for a candidate start state, 
input action, output action, internal action, transition, input task, output task, internal task, 
or state equivalence class. Also, there is a deterministic Turing machine that, given k and two 
candidate actions a\ and a 2 , decides whether (ai,a 2 ) € RAq- k , and always runs in time at most 
b{k); similarly for two candidate states q\ and q 2 , k and RSq- k - Also, there is a deterministic 
Turing machine that, given k, an action a of Tk and a task T , decides whether a G T; again this 
machine runs in time at most b(k). 

3. There is a deterministic Turing machine M act that, given k, state q of Tk and an output or 
internal task T of Tk, produces the unique action a in task T that is enabled in q if one exists, 
and otherwise produces a special "no-action" indicator. Moreover, M act always runs in time at 
most b{k). 

4- There is a probabilistic Turing machine M sta te that, given k, state q of Tk, and the representation 
of an action a ofTk that is enabled in q, produces the next state resulting from the unique transition 
of Tk of the form (q, a, fi). Moreover, M state always runs in time at most b(k). 
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Lemma 3.68 Suppose T\ andT~2 are two compatible task-PIOA families, T\ is b\-time-bounded, and 
T2 is 62 -time-bounded, whereb\,b2 : N — » R-°. ThenT \\\7 "2 is a c comp (bi+b2) -time-bounded task-PIOA 
family. 

Proof. By Lemma 3.56 and the definition of a time-bounded task-PIOA family. □ 

Lemma 3.69 Suppose T is a b-time-bounded task-PIOA family, where b : N — ► R-°. Suppose that 
hi = {Uk}keN is a task-set family for T , where each hik is a set of output tasks for T~k with \hik\ < c. 
Then hide(T,U) is a Chide(c + l)b-time-bounded task-PIOA family. 

Proof. By Lemma 3.57. □ 

Definition 3.70 Let p = {pk}keN be a task-scheduler family for a closed task-PIOA family T = 
{Tk}keN- Then p is said to be 6-timc-boundcd, where b : N — > R-° provided that pk is b{k)-time 
bounded for every k. 

Now we extend the time-bounded implementation notion to task-PIOA families: 

Definition 3.71 Suppose T\ = {(Ti)k}keN and T2 = {{T~2)k}keu are comparable task-PIOA families 
and e, b, b\ and 6 2 are functions, where e, b : N — > R-°, and 61,62 : N —> N. Then we say that 
T\ <e,b,b lt b 2 T2 provided that {T{) k < e (k)Mk)M(k)M(k) (^)fc f or ever V k - 

Our previous transitivity result for individual automata carries over to families: 

Lemma 3.72 Suppose T\, T2 and T% are three comparable task-PIOA families such that T\ <ei 2 ,6,6i,& 2 
7 '2 and T2 <e 2 3,6,6 2 ,6 3 T3, where e, 6 : N — ► R-° and 61, 62 : N — ► N. 
TTien T x <ei 2 +e 23 ,6,6i,f> 3 ^V 

Proof. Suppose T 1 = {(Ti) fe } feeN , ^2 = {(^O/JfceN and T 3 = {(%) k }keN are three compara- 
ble task-PIOA families satisfying the hypotheses. Then Definition 3.71 implies that, for every k, 

{T\)k <t 12 (k)Mk)M(k).b 2 (k) (1~2)k and {T 2 )k <e 2 3(fc),6(fc),6 2 (fc),6 3 (fc) C 7 3)fe ■ Lcmma 3 - 61 tnen implies that, 
for every k, (7i) fc <e 12 (fe)+e 2 3(fe),6(fe),6i(fe),6 3 (fe) (^i)fc- Applying Definition 3.71 once again, we obtain that 
T\ <e 12 +e 23 ,b,b 1 ,b 3 T~3, as needed. □ 

Our previous composition result for individual automata also carries over to families: 

Lemma 3.73 Suppose £,6,63 : N — ► R-°, and 61,62 : N — > N. Suppose T\ and T2 are comparable 
families of task-PIOAs such thatT\ < e .c com (6+fe 3 ),6i,6 2 ^~2- Suppose thatT^ is a 63 -time-bounded task- 
PIOA family that is compatible with both T\ and T2 ■ 
Then Ti||T 3 < e ,6,6i,6 2 T 2 ||T 3 . 

Proof. Fix Ti = {(Ti) fc } feeN , ^"2 = {(^fcj-fceN, ^3 = {C?3)fc}fceN and all the functions as in the 
hypotheses. By Definition 3.71, for every k, (Ti) k <e(k),c aomp (b+b 3 )(k)M(k)M(k) {%)k- Lemma 3.62 then 
implies that, for every k, (T 1 ) fe ||(7 3 ) fe < t {k),b{k)M{k),b 2 {k) {%)k\\{%)k- Applying Definition 3.71 once 
again, we obtain that 7~i||T 3 < £j 6 i b lj 6 2 T 2 ||T 3 , as needed. □ 

Hiding output actions of task-PIOA families also preserves the new relation: 

Lemma 3.74 Suppose e,b : N — ► R-°, and 61,62 : N — > N. Suppose that T\ and T 2 are comparable 
task-PIOA families such that T\ < € fiMfi 2 ^"2- Suppose that hi is an output-task- set family for both T\ 
and T2 . 
Then hide{T\,U) <e,6,6i,6 2 hide(T2,U). 

Proof. By Lemma 3.63. □ 

Finally, we obtain a soundness result for simulation relations: 
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Theorem 3.75 Let T± and T 2 be comparable task-PIOA families, c e N, b : N — > R-°, and &i : N — > N. 
Suppose that, for every k, and for every b(k)-bounded environment £ for (Ti)k and (T^2)k, there exists 
a simulation relation from (Ti)k\\£ to (7~2)k\\£> for which \corrtasks(S,T)\ < c for every S and T. 
Then T x <o,b,6i,c6i ^2- 

Proof. By Theorem 3.64. D 

3.5.3 Polynomial-Time Task-PIOA Families 

Definition 3.76 The task-PIOA family T is said to be polynomial-time-bounded (or non-uniformly 
polynomial-time-bounded,) provided that there exists a polynomial p such that T is p-time-bounded. 

T is said to be uniformly polynomial-timc-bounded provided that there exists a polynomial p such 
that T is uniformly p-time-bounded. 

Lemma 3.77 Suppose T\ and T2 are two compatible polynomial time task-PIOA families. Then 
T1HT2 is a polynomial-time-bounded task-PIOA family. 

Proof. Suppose p\ and pi are polynomials such that T\ is pi-time-bounded and T2 is ^-time- 
bounded. Then by Lemma 3.56, Then T1WT2 is c CO mp{pi + j>2)-time-bounded, which implies that it is 
polynomial-time-bounded. □ 

Lemma 3.78 Suppose T is a polynomial-time-bounded task-PIOA family. Suppose thathi = {Uk}keN 
is a task-set family for T , where each Ilk is a set of output tasks for 7~k with \Uk\ < c. Then hide(T,U) 
is a polynomial-time-bounded task-PIOA family. 

Proof. By Lemma 3.69. □ 

Definition 3.79 Let p = {pk}keN be a task-scheduler family for a closed task-PIOA family T = 
{Tk}keN- Then p is said to be polynomial time-bounded provided that there exists a polynomial p 
such that p is p-time-bounded. 

In the context of cryptography, we will want to say that, for every polynomial-time-bounded environ- 
ment, the probability of distinguishing two systems is "negligible" . The notion of negligible probability 
is expressed by saying that the that the probability must be less than a negligible function e: 

Definition 3.80 A function e is said to be negligible iff, for every constant c G R + , there exists kg 
such that, \/k > ho, e(fe) < -h- 

Definition 3.81 Suppose T\ and T2 are comparable task-PIOA families. We say that T\ < ne g.pt T2 
iff, for every polynomial p and polynomial p\, there is a polynomial P2 and a negligible function e such 
that T 1 <e,p, Pl ,p2 Ti- 



Lemma 3.82 Suppose T\, T2 andTj, are three comparable task-PIOA families such thatT\ <neg,pt ^"2 
and T2_< neg! p t T3. 
Then T x < neg ,pt Tz- 



Proof. Suppose T\ = {(Ti) k } ke N, T~2 = {{T~2)k}keH and^" 3 = {{T 3 ]k}keN are three comparable 
task-PIOA families satisfying the hypotheses. To show that T x < n eg,pt 1~3, we fix polynomials p and 
Pi; we must obtain a polynomial p^ and a negligible function £13 such that T\ < ei3 ,p, Pl ,p 3 T~z- 

Since T\ < neg ,pt T2, we know that there exist polynomial P2 and negligible function e\2 such that 
T\ <e 12 ,p,pi,p 2 1~3- Then since T2 < n eg,pt T$, we may conclude that there exist polynomial p^ and 
negligible function £23 such that T \ <e 2 3-p,p2,P3 ^~3- Let £13 = £12 + £23- Then Lemma 3.72 implies that 
T\ <ei3,p,pi,p 3 T3, as needed. □ 

The <neg.pt relation is also preserved under composition with polynomial-time bounded task-PIOA 

families. 
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Lemma 3.83 Suppose T\, 1 ' 2 are comparable families of task-PIOAs such that T\ < ne g,pt T 2 , and 
suppose T3 is a polynomial time-bounded task-PIOA family, compatible with both T\ and T 2 . 
Then 7i||T 3 < n eg, P t T 2 \\T 3 . 

Proof. Suppose T\ = {(Ti) fc } fee N, T 2 = {(T 2 ) k } keN , and T 3 = {(T 3 ) k }k_ eN _a,re as in the hypothe- 
ses. Fix polynomial q such that T 3 is q-time-bounded. To show that T1HT3 < neg ^pt T 2 \(T-)„ we 
fix polynomials p and pi; we must obtain a polynomial p 2 and a negligible function e such that 

Define p' to be the polynomial c comp (p + q). Since T\ < ne g,pt 1~ 2 , there exist a polynomial p 2 and a 
negligible function e such that T\ < e ,p',p 1 ,p 2 T 2 - Lemma 3.73 then implies that T1IJT3 < e ,p,p 1 ,p 2 T 2 \\T3, 
as needed. □ 

Hiding output actions of the task-PIOAs that we compare also preserves the < n eg,pt relation. 

Lemma 3.84 Suppose that T\ and T 2 are comparable task-PIOA families such that 7" \ < neg . p t T 2 . 
Suppose that IA is an output-task- set family for both T\ and T 2 . 
Then hide(Ti,U) < n eg,pt hide{T 2 ,U). 

Proof. By Lemma 3.74. □ 

And we have another soundness result for simulation relations: 

Theorem 3.85 Let T\ and T 2 be comparable task-PIOA families, c£ N. 

Suppose that for every polynomial p, for every k, and for every p{k)-bounded environment £ for {T\)k 

and {T 2 )k, there exists a simulation relation from (Ti)k\\£ to {T 2 )k\\£, for which \corrtasks(S,T)\ < c 

for every S and T. 

Then T 1 <„ eff , P t T 2 . 

Proof. By Theorem 3.75. □ 
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4 Ideal Systems for Oblivious Transfer 

At this point, having developed the basic machinery, we are ready to tackle our example. In this section, 
we define "ideal systems" for Oblivious Transfer, which are used as specifications for the correctness and 
secrecy properties that are supposed to be guaranteed by an Oblivious Transfer protocol. The definition 
are based on Canetti's definition of Oblivious Transfer in the Universal Composability framework [cOl]. 
We parameterize our ideal systems by a set C C {Trans, Rec}, which indicates the corrupted end- 
points. The system consists of two interacting task-PIOAs: the Functionality FunctiC) and the Simu- 
lator Sim(C). 

Notation: The states of each task-PIOA for which we provide explicit code are structured in terms 
of a collection of state variables. Given a state q of a task-PIOA and a state variable v, we write q.v 
for the value of v in state q. 

4.1 The Oblivious Transfer Functionality 

FunctiC) has two endpoints corresponding to Trans and Rec. FunctiC) receives in inputs at both 
endpoints. If Rec G C, then FunctiC) produces out' outputs at the Rec endpoint, which are inputs 
to Sim(C), Otherwise, it produces out outputs, which are not inputs to Sim(C). Task-PIOA Fund is 
defined in Figure 1. 



Funct(C) : 

Signature: 

Input: 

in{x) Trans, X G ({0,1} 

in{i) Rec , i 6 {0, 1} 



Output: 
{0, 1}) if Rec $ C then out(x) Rec , x g {0, 1} 

if Rec a C then out'(x) Rec , x £ {0, 1} 



State: 

inval(Trans) g ({0, 1} -> {0, 1}) U {_!_}, initially 
inval(Rec) S {0, 1, _!_}, initially _L 



Transitions: 



in(x) Tr ans 

Effect: 

if inval(Trans) 

in(i) Rec 
Effect: 

if inval(Rec) 



_L then inval(Trans) := x 



X then inval(Rec) := i 



Tasks: {in(*) Trans }, {in(*) Rec }}. 
If Rec (f: C then {out(*) Rec } . 
If Rec g C then {out' (*) Rec } . 



out(x) Rec or out'(x) Rec 

Precondition: 

inval(Trans),inval(Rec) ^ _L 
x = inval(Trans)(inval(Rec)) 

Effect: 



State relation: q\ and qi are related iff: 
qi.inval(Trans) = _L iff q2-inval(Trans) = 



, and qi.inval(Rec) = _L iff q2-inval(Rec) 

Figure 1: The Functionality, FunctiC) 



4.2 The Simulator 

SimiC) is an arbitrary task-PIOA satisfying certain constraints. SiraiC) receives in inputs at endpoints 
in C '. It also acts as an intermediary for outputs at Rec if Rec G C, receiving out' outputs from FunctiC) 
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and producing out outputs. Sim(C) may also have other, arbitrary, input and output actions. The 
constraints on the signature and relations of Sim(C) is given in Figure 2. 

Signature: 

Input: Output: 

if Trans £ C then if Rec £ C then 

in(x) Trans , x e ({0,1} -* {0,1}) out(x) Rec , x G {0,1} 

if Rec S C then Arbitrary other output actions 

* ra (*)-Rcci * S {0, 1} Internal: 

out'(x)[t ec , x £ {0, 1} Arbitrary internal actions 

Arbitrary other input actions 

Tasks: 

If Trans S C then {in(*) Trans} ■ 
If Rec £ C then {in(*)n ec }. 

{out' '(*) Rec} , {out(*) Rec }. 

Arbitrary tasks for other actions. 

State relation: Arbitrary, subject to the consistency requirements. 

Figure 2: Constraints on Sim(C) 



4.3 The Complete System 

A complete ideal system with parameter C is obtained by composing the task-PIOA Funct(C) with 
some Sim(C), and then, if Rec e C, hiding all out' actions. 

5 Random Source Automata 

We will sometimes find it convenient to separate out random choices into separate "random source" 
components. One type of random source is one that simply chooses and outputs a single value, obtained 
from a designated probability distribution. We define this type of source by a task-PIOA Src(D,u), 
parameterized by a probability distribution (D,fi). When u is the uniform distribution over D, we 
write simply Src(D). 

The code for task-PIOA Src(D,u) appears in Figure 3. Note that the equivalence classes obliterate 
distinctions based on the particular randomly chosen values. 

We extend this definition to indexed families of data types and distributions, D = {Dk}keN and 
M = {f-k}keN, to yield an indexed family of random source automata, Src(D,fi) — {Src(Dk, Uk)}keN- 
As before, when every Uk is the uniform distribution, we write simply Src(D) — {Src^Dk)}^^. 

6 Real Systems 

A real system is defined as a parameterized task-PIOA, with the following parameters: 

• D, a finite domain. 

• Tdp, a set of trap door permutations for domain D. 

• C C {Trans , Rec}, representing the corrupted endpoints. 
Based on these, we define the following derived sets: 

• Tdpp = {(/, / _1 ) : / € Tdp}, the set of trap door permutation pairs for domain D. If p = 
(f,f) € Tdpp, then we refer to the components / and / of p using record notation, as 
p. fund and p.inverse, respectively 
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Src(D,u): 








Signature: 








Input: 


Internal: 




none 




choose — 


rand 


Output: 








rand(d), 


de D 






State: 








chosenval 6DU {-!-}• 


, initially _L 





Transitions: 

choose — rand rand(d) 

Precondition: Precondition: 

chosenval = _L d = chosenval ^ _L 

Effect: Effect: 

chosenval := choose-random(Z), a) none 

Tasks: {choose — rand}, {rand(*)}. 

State relation: q\ and 52 are related iff: 
qi. chosenval = _L iff qi .chosenval = _L. 

Figure 3: Code for Src(D, u) 

• M, the message alphabet, equal to {(1, /) : / e Tdp} U {(2, z) : z e ({0, 1} -► D)} U {(3, b) : b e 
({0,1} -{0,1})}. 

A real system with parameters (D, Tdp, C) consists of five interacting task-PIOAs: The Transmitter 
Trans(D,Tdp), the Receiver Rec(D,Tdp,C), the Adversary Adv(D,Tdp,C), and two random source 
automata Src(Tdpp) t d PP and 5Vc({0,l} — ► D) yva i. Src(Tdpp) t d PP and Src({0, 1} — > D) yva i are iso- 
morphic to Src(Tdpp) and 5Vc({0, 1} — ► D) defined as in Section 5; the difference is that the literal 
subscripts tdpp and yval are added to the names of the automata and to their actions. Throughout 
this section, we abbreviate the automaton names by omiting their parameters when no confusion seems 
likely. 

6.1 The Transmitter 

Trans{D,Tdp) receives in inputs from the environment of the real system. It produces send outputs 
to and receives receive inputs from Adv. It also receives rand t d PP inputs from Srctd PP - Task-PIOA 
Trans(D,Tdp) is defined in Figure 4. 

Lemma 6.1 In every reachable state of Trans(D,Tdp): 

1. Ifbval ^ _L then tdpp ^ _L ; zval ^ _L ; inval ^ _L, and^ii G {0, 1}, bval(i) = B(tdpp.inverse(zval(i)))d 
inval(i). 

6.2 The Receiver 

Rec(D,Tdp,C) receives in inputs from the environment of the real system. Also, if Rec G C, then 
Rec(D,Tdp,C) produces out' outputs to Adv, whereas if Rec fi C, then Rec{D,Tdp,C) produces out 
outputs for the environment. Rec{D, Tdp, C) provides send outputs to and receives receive inputs from 
Adv. It also receives rand yva i inputs from Src yva i- 
Task-PIOA Rec(D,Tdp, C) is defined in Figure 5. 

Lemma 6.2 In every reachable state of Rec(D,Tdp,C): 
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Trans{D,Tdp): 

Signature: 

Input: 

in(x) Trans ,x€ ({0,1} -►{0,1}) 

rand(p)td PP , V S Tdpp 

receive(2,z) Trans, z G ({0, 1} — ► D) 



Output: 

Send(l, f) Trans, f S Tdp 
send(3,b) Trans, b e ({0,1} 

Internal: 

fix - bval Trans 



{0,1}) 



State: 

inval e ({0, 1} -» {0, 1}) U {_!_}, initially 1 
tdpp S Tdpp U{±}, initially _L 
zval e ({0, 1} -► D) U {±}, initially ± 
bval e ({0, 1} -> {0, 1}) U {_!_}, initially _L 



Transitions: 



in(x) Trans 

Effect: 

if inval ■■ 



then inval : 



receive(2,z) Trans 
Effect: 

if zval = _L then 2«aZ 



rand(p) tdpp 
Effect: 

if idpp = 



then tdpp := p 



Send(l, f) Trans 

Precondition: 

tdpp ^ _L, / = tdpp. fund 
Effect: 

none 



/ix - bval-Trans 

Precondition: 

tdpp, zval, inval ^ _L 

b«ai = ± 
Effect: 

for i e {0, 1} do 

bvalli) = B(tdpp.inverse(zval(i))) © inval (i) 

Send(3,b) Trans 

Precondition: 

b = bval 7^ _L 
Effcct: 

none 



Tasks: {in(*) Trans} , {rand(*) tdpp }, {send(l , *) Tr ans} , 

{receive(2,*) Trans}, {send(3,*) T rans}, {f^ - bval Trans}- 

State relation: q\ and 52 arc related iff: 

qi.inval = _L iff qi-inval = _L, qi.tdpp = _L iff q^.tdpp = _L, q\.zval = ± iff qi.zval = X, and qi.bval = _L iff q2-bval = X. 

Figure 4: Code for Trans(D,Tdp) 



1. If zval = z =/= 1 
inval) = yval(l 



then yval ^ 
- inval). 



_L, inval ^ _L, tdp ^ _L, z{inval) = tdp{yval{inval)) , and z(l 



6.3 The Adversary 

The Adversary encompasses the communication channel, although its powers to affect the communi- 
cation are weak (it can hear messages and decide when to deliver them, but cannot manufacture or 
corrupt messages). 

Adv(D,Tdp,C) has two endpoints corresponding to Trans and Rec. It receives in inputs from 
the environment for endpoints in C. It also acts as an intermediary for outputs at endpoints in C, 
specifically, if R £ C, Adv{D,Tdp,C) receives out' outputs from Rec and provides out outputs to the 
environment at endpoint Rec. Adv(D,Tdp,C) also receives send inputs from and provides receive 
outputs to Trans and Rec. It also receives random inputs from the random sources of corrupted 
parties: rand{p)tdpp from Srctdpp if Trans € C and rand{y) yva i if Rec € C. Finally, Adv{D,Tdp,C) 
may communicate with the environment, using other, arbitrary inputs and outputs. We call these "new" 
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Rec(D,Tdp,C) : 

Signature: 

Input: 

in(i)nec, i 6 {0, 1} 

rand(y) yva i,y £ ({0, 1} -> D) 

receive(l,f) Rec , f e Tdp 

receive(3, b) Rec , b e ({0, 1} -» {0, 1}) 



State: 

inval £ {0, 1, J-}, initially _L 
tdp S Tdp U {±}, initially _L 
yval,zval e ({0, 1} — ► D) U {±}, initially 
outval 6 {0, 1, -L}, initially _L 



Transitions: 



Output: 

send(2,z) Rec , ze ({0, 1} -* D) 
if R ^ C then out(x) Rec , x e {0, 1} 
if i? e C then out'(x) Rec , x G {0, 1} 

Internal: 

/ix - zval Rec 



send(2,z) Rec 
Precondition: 

z = zval ^ _L 
Effect: 



in(i) Rec 
Effect: 

if inval = _L then inval := i 

rand(y) yva i 
Effect: 

if ymi = _L then j/^aZ := y 

receive(l,f) Rec 
Effect: 

if tdp = _L then idp := / 

fix - zval Rec 
Precondition: 

yval, inval, tdp ^ _L 

zval = _L 
Effect: 

zvaliinval) := tdp(yval(inval)) 

zval(l — inval) := yval(l — inval) 

Tasks: 

{*n(*)is«;}, {rand(*) y „ a J, {receive(l, *) Rec }, {send(2,*) Rec }, {receive(3,*) Rec }, {fix - zval Rec }. 
If Rec S C then {out(*) Rec } . 
If Rec ^ C then {ojii'(*) B( , c }. 

State relation: qi and 52 are related iff: 

qi.inval = _L iff q^.inval = _L, and similarly for idp, j/iJaZ, ztiai, and outval. 

Figure 5: Code for Rec(D,Tdp, C) 



receive(3, b) Rec 
Effect: 

if yval y^ _L and outval = _L then 

outval := b(inval) © B(yval(inval)) 

out(x) Rec or out'(x) Rec 
Precondition: 

a: = outval 7^ _L 
Effect: 

none 



inputs and outputs here. We assume that they are disjoint from all the other actions that appear in any 
of our explicitly-defined components. Thus, they will not be shared with any other state components 
we define. (Later, when we consider closing the system with an environment automaton, we will allow 
these new actions to be shared with the environment.) 

The Adversary again depends on the set C of corrupted parties. Also, for each case, there are 
actually a set of possible adversary automata, not just one. This set is captured by the "arbitrary" 
designation throughout the descriptions. The Adversary Adv{D, Tdp, C) is defined in Figures 6 and 7 . 
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D) 

-{0,1}) 

-{0,1}) 



Adv(D,Tdp,(C): 
Signature: 

Input: 

Send(l, f) Trans, f 6 Tdp 
send(2, z) Rec , z G ({0, 1} — 
send(3, b) Trans, b G ({0, 1} - 
if T G C then 

in{x) Trans, X G ({0,1} - 

rand(p) tdpp , p G Tdpp 
if R G C then in(i) Rec , i G {0, 1} 

out'(x) Rec , x G {0,1} 

rand(y) yva i, y G ({0, 1} — > D) 
Arbitrary other input actions; call these "new" input actions 

State: 

messages, a set of pairs in M X {Trans, Rec}, initially 
if R e C then outval(Rec) G {0, 1, _!_}, initially _L 
Arbitrary other variables; call these "new" variables 



Output: 

receive(l,f) Rec , f G Tdp 

receive(2,z) Trans, z G ({0,1} — > D) 
receive^, b) Rec , b G ({0, 1} -» {0, 1}) 
if R e C then 

out(x) Rec , x G {0,1} 
Arbitrary other output actions, call these "new" output actions 
Internal: 

Arbitrary internal actions; call these "new" internal actions 



Transitions: 



send(m) Tra ns 
Effect: 

messages := messages U {(m, Rec)} 

send(m) Rec 
Effect: 

messages := messages U {(m, Trans)} 

receive(m) Trans 
Precondition: 

(m, Trans) G messages 
Effect: 

none 

receive{m) Rec 
Precondition: 

(m, Rec) G messages 
Effect: 



out'(x) Rec 
Effect: 

if outval(Rec) = _L then outval(Rec) := x 

out(x) Rec 
Precondition: 

x = outval(Rec) ^ _L 
Effect: 



in(x) Tr ans, in(i) Rec , rand(p)td PP , or rand(y) yva i 
Effect: 

Arbitrary changes to new state variables 

New input action 
Effect: 

Arbitrary changes to new state variables 

New output or internal action 
Precondition: 

Arbitrary 
Effect: 

Arbitrary changes to new state variables 



Figure 6: Code for Adv{D, Tdp, C) (Part I) 

6.4 The complete system 

A complete real system with parameters (D, Tdp, C) is the result of composing the task-PIOAs Trans(D, Tdp, C), 
Rec(D, Tdp, C), Src(Tdpp)td PP and 5Vc({0, 1} — > D) yva i and some adversary Adv{D, Tdp, C), and then, 
hiding all the send, receive and rand actions. If Rec € C we also hide out' outputs of Rec. 

Lemma 6.3 In every reachable state of RS the following hold: 

1. If Rec.yval ^ _L then Src yva i-chosenval = Rec.yval. 

Lemma 6.4 In every reachable state of RS the following hold: 

1. Adv .messages contains at most one round 1 message, at most one round 2 message, and at most 
one round 3 message. 
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Tasks: {send(l , *) Trans )} , {send(2 , *) Rec } , {send(3,*) Trans }, {receive(l,*) Rer }, {receive(2,*) Trans }, {receive(3,*) Rec }, 

If Trans g C then {in(*) Trans} , {rand(*) t d PP - 

If Rec e C then {m(*) flec }, {out' (*) Rec } , {rand(*) yva i}, {out(*) Rec }. 

Arbitrary tasks for new actions. 

State relation: Arbitrary RS, subject to consistency requirements, and such that there exists an equivalence 
relation RN on the valuations of the new variables where (91,(72) € RS iff: 

1. There is a bijection between qi.messages and q2-messages, such that if ((i\,mi),pi) g qi.messages corresponds 
to ([12, m2),V2) S q2-Tnessages then ii = 12 and pi = P2- 

2. If _Rec £ C then qi.outval(Rec) = _L iff q2-outval(Rec) = _L. 

3. The valuations on new variables in q\ and 52 are i?7V-relatcd. 

Figure 7: Code for Adv(D,Tdp,C) (Part II) 

2. If Adv. messages contains (1,/) i/ien Trans. tdpp. f unct = f. 

3. If Adv. messages contains (2,z) £/ien Rec.zval = z. 

4- If Adv. messages contains (3,6) then Trans (D,T dp, C). bval = b. 

5. If Rec.tdp = f =/= _L £/ien 

(oJ Adv.messages contains (1,/). 

f&j Trans.tdpp =/= _L and Trans. tdpp. fund = f . 

6. If Rec.zval = z =/= A. then Rec.yval 7^ _L, Rec.inval 7^ _L, Rec.tdp 7^ _L, z(Rec.inval) — 
Rec. tdp(Rec.yval(Rec. inval)) , and z{\ — Rec.inval) = Rec.yval(l — Rec.inval). 

7. If Trans. zval = z =/= _L i/ien 

faj Adv.messages contains (2,z). 
(b) Rec.zval = z. 

8. If Trans. bval = b =/= _L i/ien 

(a) Trans.tdpp 7^ A., Trans. zval 7^ _L, Trans .inval 7^ A., and i <E {0, 1}, 
b{i) = B(Trans.tdpp.inverse(Trans.zval(i))) Trans. inval(i). 

(b) Rec.inval 7^ _L and for i = Rec.inval, b{i) = B(Rec.yval(i)) © Trans.inval(i) . 

9. If Rec.bval = 6 7^ _L i/ien 

faj Adv.messages contains (3,6). 
^ Trans .bval = b. 

10. If Rec.outval = x =/= A. then 

(a) x = Trans, bval [Rec. inval) © B{Rec.yval{Rec.inval)). 

(b) x= Trans. inval(Rec. inval). 

11. If Trans.tdpp 7^ _L and Trans. zval 7^ _L, then Rec.yval = A., Rec.inval 7^ _L, and in addition 
Trans .tdpp.inver se(Trans .zval(Rec.inval) = Rec.yval(Rec.inval) . 

In addition, invariants can be proved for the four individual cases, for instance: 

Lemma 6.5 If C = {Rec} then, in every reachable state of RS(D,Tdp,C), the following holds: 

1. If Adv.outval(Rec) = b =/= _L then Rec.outval = 6. 
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7 The Main Theorems 

In this section, we state the main theorem of this paper. It is really four theorems, for the four possible 
sets of corrupted parties. 

The theorems involve task-PIOA families, which are defined by instantiating the real and ideal 
systems with families of domains and trap-door permutations. 

7.1 Families of Sets 

We assume two families of sets: 

• D — {Dk}keN, a family of finite domains. For example, D k might be the set of length k bit 
strings. 

• Tdp = {Tdp k } ke ^, a family of sets of trap-door permutations such that the domain of / <G Tdp k 
is D k . 

We also define the following derived families of sets: 



• Tdpp = {Tdppk}keN, a family of sets of trap-door permutations pairs. Each set Tdppk is the set 
{(/j/ 1 ) : / G Tdpk}- As before, Up— (/, / _1 ) then we refer to the two components of p as 
p. fund and p.inverse, respectively. 

• M = {Mk}keN, a family of message alphabets, where M k = {(1,/) : f G Tdpk} U {(2,z) : z G 
({0, 1} - D k )} U {(3, b): b G ({0, 1} -> {0, 1})}. 

7.2 Families of Systems 

A real-system family RS for domain family D, trap-door permutation set family Tdp, and C C 
{Trans, Rec} is a family {RS k } ke ^, where, for each k, RS k is a real system with parameters (D k , Tdp k , C). 
Thus, RS k = Trans(D k ,Tdpk)\\Rec(D k ,Tdp k ,C)\\Src(Tdpp k )tdpp\\Src({0,l} -> D k ) yva i\\Adv k , where 
Adv k is some adversary Adv(D k ,Tdp k ,C). 

An ideal-system family IS for C C {Trans, Rec} is a family {IS k }keN, where, for each k, IS k is an 
ideal system with parameter C. Thus, IS k = Funct(C) k \\Sim k , where Sim k is some simulator Sim(C). 

7.3 Theorem Statements 

In the following theorem, the four possible values of C yield four theorems, which we prove in Sections 9, 
10, 11, and 12, respectively. 

Theorem 7.1 For every C C {Trans, Rec} the following holds: 

Let RS be a real-system family for (D,Tdp,C), in which the family Adv of adversary automata is 

polynomial-time-bounded. 

Then there exists an ideal-system family IS for C , in which the family Sim is polynomial-time-bounded, 

and such that RS < ne g,pt IS. 

8 Hard-Core Predicates 

In this section, we define a cryptographic primitive — a hard-core predicate for a trap-door permutation — 
that we use in several of our system descriptions. We define this in terms of task-PIOAs, and relate 
the new definition to the standard cryptographic definition. Using our new task-PIOA formulation, we 
show some consequences of the definition, in particular, we show how a hard-core predicate retains its 
properties if it is used twice, and if it is combined with another value using an © operation. 

Throughout this section, we fix D — {D k }keN to be a family of finite domains, and Tdp — {Tdp k } ke ^ 
to be a family of sets of trap-door permutations such that the domain of / G Tdp k is D k . 
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8.1 Standard Definition of a Hard-Core Predicate 

Informally, wc say that B is a hard-core predicate for a set of trap-door permutations if, given a trap- 
door permutation / in the set, an element z of the domain of this permutation, and a bit b, no efficient 
algorithm can guess whether b = B(f~ 1 (z)) or is a random bit with a non-negligible advantage. 
More precisely, wc define a hard-core predicate as follows: 

Definition 8.1 A hard-core predicate for D and Tdp is a predicate B : UfceN D k — ► {0, 1}, such that 

1. B is polynomial-time computable. 

2. For every probabilistic polynomial-time non-uniform predicate G — {Gk}keN, 3 there is a negligible 
function e such that, for all k, 



Pr[ f<-Tdp k ; Pr[ / <- Tdp k ; 

z <— D k ; z *— D k ; 

b^B{f-\z)): ~ b -{0,1}: 

G k (f,z,b) = l } G k (f,z,b) = l 



< e(k). 



Note that, when A is a finite set, the notation x <— A means that x is selected randomly (according to 
the uniform distribution) from A. 

This definition is a reformulation of Dcf. 2.5.1 of [Foundations of Cryptography, Volume I Basic 
Tools, by Oded Goldreich, Cambridge University Press, 2001, reprint of 2003, p. 64.] [goldreich03]. 

8.2 Redefinition of Hard-Core Predicates in Terms of PIOAs 

We now show how this last definition can be expressed in terms of task-PIOAs. To this purpose, we 
define two new task-PIOA families. The first one, denoted by SH (for "System providing a Hard-core 
bit"), outputs a random trap-door permutation, a random element z of the domain of this permutation, 
and the bit B(f~ 1 (z)). The second, denoted by SHR (for "System in which the Hard-core bit is 
replaced by a Random bit" ) , is the same as the previous one excepted that the output bit b is simply 
a random bit. 

With these two PIOA families, Definition 8.1 of hard-core predicates can be expressed in terms of 
task-PIOAs by saying that SH < ne g,pt SHR, which means (informally) that, for every polynomial-timc- 
bounded family £ of environments for SH and SHR, every polynomial-time-bounded task-scheduler 
family for SH\\£, generates a family of trace distributions of SH\\£ that can be mimicked by SHR\\£ 
with an appropriate task-scheduler family. 



Definition 8.2 The task-PIOA family SH is defined as hide ran d( y ) val (Srctdp\\Src yva i\\H) , whe 



Srctdp = {(Src t dp)k}keN, where each (Src t dp)k is isomorphic to Src{Tdp k ) 



• Src yval = {(Src yva i) k } keN , where each {Src yva i) k is isomorphic to Src{D k ), 

• H — {-fffc}fceN; where each H k receives the permutation f from (Src t d p ) k and the element y G 
D k from {Src yva i) k , and outputs the two values z = f{y) and B{y). Each H k is defined as 
H{D k ,Tdp k ,B), where H(D,Tdp,B) is defined in Fig. 8. 



Definition 8.3 The task-PIOA family SHR is defined as (Srctdp\\Src zva i\\Srcbvai) , where 

• Src td p = {(Src tdp ) k } keN , where each (Src tdp ) k is isomorphic to Src(Tdp k ), 

3 This is defined to be a family of predicates that can be evaluated by a non-uniform family (M^)^ of probabilistic 
polynomial-time-bounded Turing machines, that is, by a family of Turing machines for which there exist polynomials p 
and q such that each M^ executes in time at most p(k) and has a standard representation of length at most q(k). An 
equivalent requirement is that the predicates are computable by a family of Boolean circuits where the k th circuit in the 
family is of size at most p(k). 
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H(D,Tdp,B) : 




Signature: 




Input: Output: 




rand(f) tdp , f 6 Tdp rand(z) zval 


, ze D 


rand(y) yva i, y e D rand(b)b va i 


, be {0,1} 


Internal: 




fix — bval 




fix — zval 




State: 




fval e Tdp U _L, initially ± 




yval S D U _L, initially _!_ 




zval £DUl, initially _!_ 




bval G {0, 1} U J_, initially ± 




Transitions: 




rand(f) tdp 




Effect: 




if fval = _L then fval := / 




rand(y) yva i 




Effect: 




if yval = _L then yval := y 




fix — zval 




Precondition: 




fval ^ _L, yval ^ _L 




Effect: 




if zval = _L then zval := fval(yval) 





/ix — bval 
Precondition: 

yval ^ _L 
Effect: 

if bval = _L then bval := B(yval) 

rand(z) zvai 
Precondition: 

z = zval ^ _L 
Effect: 

none 

mnd(b)i, 1 , ai 
Precondition: 

b = b^ai 7^ ± 
Effect: 

none 



Tasks: {rand(*) tdp }, {rand(*) yval }, {fix -bval}, {fix- zval}, {rand(*) zval }, {rand(*) bval } . 

State relation: qi and q^ arc related iff: 

qi.fval = _L iff q^.fval = X, and similarly for yval, zval, and bval. 

Figure 8: Hard-core predicate automaton, H(D,Tdp,B) 



Src zva i = {(Src zva i) k } keN , where each (Src zval ) k is isomorphic to Src(D k ), 



• Srcbvai = {(Src bva i)k}keN, where each (Src bva i)k is isomorphic to 5rc({0, 1}). 

Definition 8.4 A hard-core predicate for D and Tdp is a polynomial-time- computable predicate B : 
UfeeN D k — * {0, 1}, such that SH < ne g, P t SHR. 

Theorem 8.5 If B is a hard-core predicate for D and Tdp according to Definition 8.1, then B is also 
a hard-core predicate for D and Tdp according to Definition 8.4- 

Proof. Suppose that B is a hard-core predicate for D and Tdp according to Definition 8.1. Defini- 
tion 8.1 implies that B is polynomial-time computable, which is required by Definition 8.4. 

It remains to show that SH <„„„ nf SHR, where the same B defined above is used in the definition 



-neg,pt 



of SH. To show this, we fix polynomials p and p^. It suffices to show the existence of a negligible 
function e such that SH < e ,p,p 1 , Pl SHR. This amounts to proving the existence of a negligible function 
e such that, for every k G N, SH k 1^e(k),p(k).p 1 (k),p 1 (k) SHRk- Unwinding this definition further, this 
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means that it is enough to show the existence of a negligible function e such that, for every k € N, 
for every p(fc)-time-bounded environment £ for SHk and SHRk, and for every pi(fc)-bounded task 
scheduler p\ for SHk\\£, there exists a pi(fc)-bounded task scheduler pi for SHRk\\£, such that 

\Paccept{SHk\\£ , pi) — Paccept(SHR k \\£, P2)\ < e(fc). 

We first define a homomorphism of task schedulers. Specifically for every fc and every environment £ 
for SHk and SHRk, we define a homomorphism /ioto from task schedulers of SHk\\£ to task schedulers 
of SHR k \\£. Namely 

1. Replace each occurrence of the {choose — rand yva {\ and {rand yva {\ tasks of (Src yva i)k with the 
empty task sequence A. 

2. Replace each occurrence of the {fix — bval} task of Hk with the {choose — bval} task of (Srcb va i)k- 

3. Replace each occurrence of the {fix — zval} task of i7j. with the {choose — zval} task of (Src zva {)k- 

4. Keep every other task unchanged. 

Note that homomorphism horn is independent of k and £. Also, note that horn is length-nonincrcasing: 
for every task scheduler p\ of SHk\\£, \hom(pi)\ < |pi|. 

Thus, it is enough to show the existence of a negligible function e such that, for every k € N, for every 
p(/c)-timc-boundcd environment £ for SHk and SHRk, and for every p!(fc)-bounded task scheduler pi 
for SH k \\£, 

\Paccept{S Hk\\£ , pi) — Paccept(S H Rk\\£ , hom(pi))\ < e{k). 

Now, for every k G N, define (£ m ax)k to be a p(fc)-time-bounded environment for SHk and define 
(pimax)k to be a p!(fc)-time-bounded scheduler for SHk\\(£ m ax)k, with the property that, for every 
p(/c)-time-bounded environment £ for SHk and every pi (fc)-time-bounded scheduler p\ for S'-fffe ||£, 

\Paccept{SHk\\£ , pi)— F 'accept{S H Rk\\£ , hom(pi))\ < 

\Paccept(SH k \\(£rnax)k, (pimax)k) - P accept(S H R k \\{£ m ax) k , hom((p lmax ) fe ))| 

To see that such (£ m ax)k and (pimax)k must exist, note that we are considering only £ for which all 
parts of the description are bounded by p(k), and only p\ with length at most p\{k). Since there are 
only a finite number of such (£,pi) pairs (up to isomorphism), we can select a particular pair that 
maximizes the given difference. 

This means that it is enough to show the existence of a negligible function e such that, for every 

ke N, 

\Paccept(S 'H k \\{£max)k, (pimax)k) - P accept(S H R k \\{£ ma x) k , hom((p lmax ) k ))\ < e(fc). 

To show this, we will apply Definition 8.1. This requires us to define an appropriate probabilistic 
polynomial-time non-uniform predicate G = (G k )keN- 

We define Gk as follows: Gk has three input arguments: / e Tdpk, z € Dk and b e {0, 1}; we only 
care what Gk does if its inputs are in these designated sets. For these inputs, Gk simulates the behavior 
of (£ m ax)k when it is executed with (pi m ax)k, as follows: 

1. Gk reads its inputs /, z and b. 

2. Gk then reads the tasks in {p\ m ax)k, one by one. For each task T that it reads: 

• Gk determines (in polynomial time) whether T is a task of {£ m ax)k and goes on to the next 
task if it is not. 

• If T is an output or internal task of {£ ma x)k, then Gk simulates the performance of T, by de- 
termining the unique enabled action (in polynomial time) and the next state (in probabilistic 
polynomial time). 
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• If T is an input task of {S max )k of the form {rand(*) t dp\ then G k simulates the action 
rand(f) t dp, where / is G^'s first input argument. Similarly, if T is of the form {rand(*) zva i} 
then Gk simulates the action rand(z) zva i, where z is Gfc's second input argument. And if 
T is of the form {rand(*)b va i} then Gk simulates rand(b)bvah where 6 is G^'s third input 
argument . 

3. After completing the processing of (pi m ax)k, Gk checks if the accept action has been performed. 
It outputs 1 in that case, and otherwise. 

Now, Definition 8.1 guarantees that there is a negligible function e such that, for all k, 

<e(k). 



Pr[ f^Td Pk ; 
z <- D k ; 
b+-B{f-\z)) 

G k (f,z,b) = l 



Pr[ / <- Td Pk ; 
z <- D k ; 
b ^{0,1}: 
G k (f,z,b) = l ] 



By the definitions of SH and SHR, and the homomorphism foom, we observe that: 

\ 

- n, ■ 

Paccept(SH k \\(£ m ax)k, (plmax)k) 



and 



Paccept(SHR k \\(£ max ) k ,hom((pi max )k)) 



( Pr[ f^Td Pk ; 
z <- -D fe ; 

G fc (/,*,&) = 1 



/ 



\ 



^ Pr[ f^Tdpk, 

z <- £»/t; 

\ G fc (.f,z,6) = l ] / 



Therefore, we conclude that, for every A; €E N, 

Poccept(/SFfc||(5 m0 a:)fc! (Pimox)fe) - P accept(S H R k \\ (£ m ax)k , hom((p lmax )) < e(k), 
which is what we needed to show. 



□ 



8.3 Consequences of the New Definition 

In this subsection, we formulate in our framework two important consequences that follow from our new 
definition of a hard-core predicate, and that are used in our analysis of the Oblivious Transfer algorithm. 
The first one says that a hard-core predicate can be applied to two values, and a probabilistic polynomial- 
time environment still cannot distinguish the results from random values. This fact is needed because, 
in the Oblivious Transfer protocol, the transmitter applies the hard-core predicate to both f (zval(0)) 
and f~ 1 (zval(l)), where / is the chosen trap-door function. 

The second consequence says that, if the results of applying a hard-core predicate are combined 
with inputs from the environment using ®, the final results still look random to the environment. This 
fact is needed because, in the protocol, the transmitter computes and sends B(f~ 1 (zval(i))) (Binval(i), 
i € {0, 1}, rather than just B(f~ 1 (zval(i))). 

8.3.1 Applying a Hard-Core Predicate Twice 

Here, we show, if B is a hard-core predicate, then no probabilistic polynomial-time environment can dis- 
tinguish the distribution (/,2;(0),^(1),B(/- 1 (^(0))),B(/- 1 (^(1)))) from the distribution (/, z(0), z(l), 
6(0), 6(1)), where / is a randomly-chosen trap-door permutation, z(0) and z(l) are randomly-chosen 
elements of the domain Dk, and 6(0) and 6(1) are randomly-chosen bits. We do this by defining two 
systems that produce the two distributions, and showing that one implements the other. We use our 
second definition of hard-core predicate, Definition 8.4. 
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Definition 8.6 The task-PIOA family SH2 is defined as hide {rand (y) yval(urand ( y)yvall - i (Srctd P \\Src yV aio\\ 
Src yva ii\\HO\\Hl), where 

• Src tdp = {(Src t dp)k}keN, where each (Src t d P )k is isomorphic to Src(Talp k ), 

• SrCy Va io = {(Src yva io)k}keN, Src yva a = {{Src yva ii) k }ken, where each (Src yva i )k and each {Src yva ii)k 
is isomorphic to Src(Dk), 

• HO = {H0k}keN an d HI = {Hlk}keN are two instances of H , where all actions have the cor- 
responding index or 1 appended to their name (e.g., rand(z) zva i is renamed as rand(z) Z vaW ^ n 
HO). The only exception is the rand(f)tdp action, which is kept as it is in H : we use the same 
trapdoor permutation for both task-PIOA families. 



Definition 8.7 The task-PIOA family SHR2 is defined as {Srctdp\\Src zva io\\Src ZV aii\\Srcbvaw\\Srcb va ii), 
where 



Srctdp = {(Src t dp)k}keN, where each (Src t d P )k is isomorphic to Src(Tdp k ) 



• Src zva io = {(Src zva io)k}k£N and Src zva ii = {(Src zva ii)k}keN, where each (Src zva i ) k and each 
(Src zva ii)k is isomorphic to Src{D k ), 



• SrCbvalO = {(Src bva io) k } keN and Srcbvaii = {(Srcb va ii)k}keN, where each (Src bv aia)k and each 
{Srcbvaii)k is isomorphic to Src({0, 1}) 



Lemma 8.8 If B is a hard-core predicate, then SH2 < neg p t SHR2 



Proof. By Theorem 8.5, we may assume that SH < ne g,pt SHR. To prove that SH2 < neg .pt SHR2, 
we introduce a new task-PIOA family Int, which is intermediate between SH2 and SHR2. Int is 
defined as hide ran d( y ) yyala {Srctdp\\Src yva io\\HO\\Src zva ii\\Srcbvaii), where 

• Srctdp is exactly as in SH2 and SHR2. 



SrCyyaio and HO are as in SH2. 



• Src zva n and Srcbvaii are as in SHR2. 



Thus, Int generates one of the bits, bvalO, using the hard-core predicate B, as in SH2, and generates 
the other, bvall, randomly, as in SHR2. 

We claim that SH2 < negtP t Int. To see this, note that Definition 8.1 implies that 



hide rand (y) yvall (Src t dp\\Src yva ii\\Hl) < neg>p t Src tdp \\Src zva ii\\Src bv aii- 



This is because these two systems are simple rcnamings of the SH and SHR systems described in 
Section 8.2. 

Now let / be the task-PIOA family hide rand ( y ) valo (Src yva io\\H0). It is easy to see, from the code 
for the two components of /, that / is polynomial-timc-bounded. Then Lemma 3.73 implies that 



hide ran d( y ) yvall {Src t d P \\Src yva ii\\Hl)\\I < ne g,pt Src t dp\\Src zva ii\\Srcb va ii\\I ■ 



Since the left-hand side of this relation is SH2 and the right-hand side is Int, this implies 5*^2 < ne g,pt 
Int, as needed. 

Next, we claim that Int < ne g.pt SHR2. To see this, note that Definition 8.1 implies that 



hide ran d(y) yvalo {Srctdp\\Src yva io\\HO) <ne g , P t Src t dp\\Src zva i \\Srcb va io- 



Now let I be the polynomial-time-bounded task-PIOA family Src zva ii\\Srcb V aii- Then Lemma 3.73 
implies that 



hide rand{y ) yvalo {Src tdp \\Src yvam \\HO)\\I < ne g,pt Src t dp\\Src zvam \\Src bva io\\I . 
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Since the left-hand side of this relation is Int and the right-hand side is SHR2, this implies Int < 
SHR2, as needed. 



neg,pt 



Since SH2 < ne g,pt Int and Int < ne g.pt SHR2, transitivity of < n eg,pt (Lemma 3.82) implies that 



SH2 < neg ^ p t SHR2. □ 

8.3.2 Combining two hard-core bits with two input values 

This material is for Case 1 of the proof. 

In the Oblivious Transfer protocol, the transmitter does not send B(f~ 1 (zi)) (i <G {0, 1}), but rather, 
B(f~ l (zi)) © Xi, where Xi is an input bit provided by the environment. In this subsection, we prove 
that the resulting bits still look random to a polynomial-time-bounded environment. This result follows 
from the fact that B is a hard-core predicate, without requiring any new computational assumptions. 

For this purpose, we add an interface that efficiently reduces any instance of the computational 
problem specific to our protocol into an instance of the computational problem we examined in the 
previous subsection. Specifically, we define a new polynomial time-bounded task-PIOA family Ifc = 
{Ifc k }keN- Task-PIOA Ifc k receives, as inputs, a trapdoor permitation /, two bits bo and bi, two 
elements, zq and z\, of D k , and a pair of bits (xo, xi), and outputs the same trapdoor permutation /, 
the two pairs (zo, Z\), and (bo xq, b\ © x\). Interface automaton Ifc k is defined to be Ifc(Tdp k , D k ), 
where Ifc (T dp, D) is defined in Fig. 9. 

Now we define SHOT and SHROT, two task-PIOA families that we will need to compare in our 
proofs in Section 9.5. 

Definition 8.9 Consider the task- set family U — {U k }keN, where U k is the set {{rand(*)tdp\ , {rand(*) zva io} > 
{rand(*) zva ii}, {rand(*)bvalo}, {rand(*)bvali}} of tasks of SH2 k and SHR2 k . The task-PIOA fam- 
ily SHOT = {SHOT k } keN is defi ned as hide w (SH2 \\Tfc). Also, the task-PIOA family SHROT = 
{SHROT k } ke w is defined as hide jj(SHR2\\ Ifc). 



Lemma 8.10 SHOT < neg , v t SHROT 



Proof. By Lemma 8.8, SH2 < neSjP t SHR2. The task-PIOA family Ifc is polynomial-timc-bounded. 
Therefore, since the < ne g.pt relation is preserved when the related automata are composed with polynomial- 
time-bounded task-PIOA families (Lemma 3.73), 



SH2\\Ifc < neg , pt SHR2\\Ifc. 

Then, since hiding output tasks of polynomial-time-bounded task-PIOA families preserves the 
"Smeg.pt relation (Lemma 3.84), we have that 



hide w (SH2\\Ifc) < neg ,pt hide w (SHR2\\Ifc), 
which in turn implies that SHOT < neg ,pt SHROT. □ 

Some invariants will be helpful in the later proofs: 
Lemma 8.11 In all reachable states of SHOT: 

1. Ifc.fval = HO.fval = Hl.fval. 

2. If Ifc.fval ^ _L then Ifc.fval = Srctdp-chosenval. 

3. If Hi.yval ^ _L then Hi.yval = Src yva u.chosenval. 

4- If Hi.zval ^ _L then Hi.yval ^ _L, Hi.fval ^ _L, and Hi.xval = Hi.fval(Hi.yval). 

5. If Hi.bval ^ _L then Hi.yval ^ _L and Hi.bval — B (Hi.yval). 

6. If Ifc.bval(i) ^ _L then Ifc.bval(i) = Hi.bval. 

7. If Ifc.bxorx ^ _L then Ifc.xval ^ _L, for i G {0,1}, Ifc.bval(i) ^ _L, and for i <E {0,1}, 
Ifc.bxorx(i) = Ifc.bval(i) © Ifc.xval(i). 
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Ifc(Tdp,D): 
Signature: 

Input: 

rand(f) tdp , f e Tdp 
rand(z) zva i , rand(z) zva n , z e D 
rand(b) bval0 , rand(b) bvall , b e {0,1} 
in{x) Trans , x e {0,1} -» {0,1} 



Output: 

Send(l, f) T rans, f 6 Tdp 
send(2, z) Rec , z e {0, 1} — > D 
send(3,b) Trans, bd {0,1}^ {0,1} 

Internal: 

fix — bxorx 



State: 

fval e Tdp U _L, initially ±, 
zval e {0, 1}^(DU _L), initially identically ± 
bval e {0, 1} ~> {0, 1, _L}, initially identically ± 
mial, bxorrr e ({0, 1} -* {0, 1}) U {_!_}, initially _L 



Transitions: 




rand(f) tdp 
Effect: 

if fval = _L then /i>aZ := 2 


rand(z) zvaU , i 
Effect: 

if zval(i) = 


e{o,i} 

_L then zval(i) := 2 


rand(b) bvali , i 
Effect: 

if bval(i) = 


e{o,i} 

_L then bval(i) := 6 


in(x) Trans 

Effect: 

if xval = _L then xval := x 


fix — bxorx 
Precondition: 

Vi e {0,1}, bval(i) ^ _L 

raol ^ _L 

bxorx = _L 
Effect: 

for i e {0, 1} do 

bxorxii) := bval(i) © xval(i) 



send(l,/)j> ans 
Precondition: 

/ua* ^ ± 

/ = /i;a£ 
Effect: 

none 

send(2, z) Rec 
Precondition: 

zval(i) ^l(i£ {0,1}) 
2 = zval 
Effect: 
none 

senrf(3,fe) Trans 

Precondition: 

bxorx ^ _L 

b = bxorx 
Effect: 

none 



Tasks: {rand(*) tdp }, {raTid(*) ztJa i }, {rand(*) zvall }, {rand(*) bvaW } , {rand(*) bvall }, {in(*) Trans} , {/is - fcrorx}, 

{send(l,f) Trans}, {send(2, z) Rec } , {senc!(3, b)rrans}- 

State relation: qi and 52 are related iff: 

qi.fval = _L iff q^.fval = _L, and similarly for x«ai and bxorx; 

Vi S {0, 1}, qi.bval(i) = _L iff q2-bval(i) = _L, and similarly for zval(i). 

Figure 9: Interface, Ifc(Tdp, D) 



8.3.3 Combining a single hard-core bit with an input value 



For Case 2 of the proof, we define new SHOT' and SHROT 1 families. 



Definition 8.12 The task-PIOA family SHOT' is defined as 



hide{ ran d(*) tdp ,rand(*) zva i,rand(*) bva i,rand(*) yval ,}{SH\\SrC yva l'\\Ifc'), 

where 

• SH is given in Def. 8.2, 
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SrCy V aV = {(Src yva i')k}keN, where each {Src yva i')k is isomorphic to Src(D k ), 



• I fc! is defined in Fig. 10 and 11. 



Definition 8.13 The task-PIOA family SHROT' is defined as 



hide^ ran d(*) tdp ,rand(*) zva i,rand(*) bva i,rand(*) vval ,}(SHR\\SrCy Va i'\\Ifc'), 



where SHR is given in Def. 8.3 while Src yva v and Ifd are as in Def. 8.12. 



Ifc'(Tdp,D): 
Signature: 

Input: Output: 

rand(f) tdp , f 6 Tdp send(l, f) Trans , f S Tdp 

rand(z) zva i , z 6 D send(2, z) Rec , z G {0,1} — » D 

rand(y) yval t, y G D send(3,b) Trans , b g {0,1} -» {0,1} 

rand(b) bva i, b e {0, 1} out"(x) Rcc , x e {0, 1} 

in(x) T rans , x £ {0, 1} —* {0, 1} Internal: 
in(i) Rec , i S {0, 1} fix - zval Rec 

OUt'(x)n ec , X e {0, 1} fix - bval T rans 

State: 

fval G (TdpU±), initially _!_, 

zvaV G (D U _L), initially ± 

yval' G (J3U1), initially ± 

zval G ({0, 1} -» D) U {_!_}, initially ± 

6t)ai' G {0,1, ±}, initially _L 

6t)a« G ({0, 1} -» {0, 1}) U {±}, initially ± 

inval(Trans),inval(Rec) G {0,1, _L}, initially _L 

inval2(Trans) G ({0, 1} -» {0, 1}) U {J_}, initially _L 



Figure 10: Interface, If c' (Tdp, D) (Part I) 
Again, we have: 
Lemma 8.14 SHOT' < neg , v t SHROT. 



Proof. By Definition 8.4, SH < neg , p t SHR. The task-PIOA families Ifc and Src yva [i are polynomial- 
timc-boundcd. Therefore, since the < ne g.pt relation is preserved when the related automata are com- 
posed with polynomial-time-bounded task-PIOA families (Lemma 3.83), 

SH\\Ifc'\\SrC yva l> <neg,pt SHR\\Ifd '\\SrCyvcU' ■ 

Now, if we define U = {rand(*) tdp ,rand(*) zva i,rand(*)i, va i,rand(*)y Va ii}, we have that 

hidejj(SH\\Ifc'\\Src yV ai>) <neg, P t hide w (SHR\\Ifc'\\Src yva i>), 

since hiding output tasks of polynomial-time-bounded task-PIOA families preserves the < negt pt relation 
(Lemma 3.84). 

This is equivalent to say that SHOT' <„ e g, P t SHROT'. □ 

Some invariants will be helpful in the later proofs: 

Lemma 8.15 In all reachable states of SHOT' : 

1. Ifc'. fval = H.fval. 
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Ifc'(Tdp,D) 



Transitions: 



out'(x) Rec 
Effect: 

if inval(Trans) = _L then inval(Trans) := x 



in{i)Rec 

Effect: 

if inval(Rec) 



then inval(Rec) := i 



in(x) Trans 

Effect: 

if inval2(Trans) = _L then inval2(TYans) := x 



rand(j) tdp 
Effect: 




if fval = 


_L then fval : 


rand(y) yval , 
Effect: 




if yvaV = 


= _L then yvaV 


rand(z) zva i 
Effect: 




if zval' = 


-- _L then zval' 


rand(b) bval 
Effect: 




if bval' = 


■ _L then bval' 



fix - zval Rec 
Precondition: 

yvaV , zval' , bval' , inval(Rec), fval j^ _L 

zvai = _L 
Effect: 

zval(inval(Rec)) := fval{yval') 

zval(l — inval(Rec)) := zval' 



fix - bval Trans 
Precondition: 

bval' ,yval' ^ _L 

inval(Trans),inval2(Trans),inval(Rec) ^ . 

fwai = _L 
Effect: 

bval(inval(Rec)) := 

B(yval') © inval(Trans) 

bval(l — inval(Rec)) := 

ftua£' © intiaZ2(TVans)(l — inval(Rec)) 

out"(x) Rec 
Precondition: 

x = inval(Trans) 7^ _L 
Effect: 

none 

Send(l,f) Trans 

Precondition: 

tdpp ^ _L, / = tdpp.funct 
Effect: 

none 

send(2, z) Rec 
Precondition: 

z = zval ^ _L 
Effect: 

none 

Send(3,b) Trans 

Precondition: 

b = bval 7^ _L 
Effect: 

none 



Tasks: {rand(*) tdp }, {rand(*) yval ,}, {rand(*) zva i}, {rand(*) bval }, {in(*) Trans} , {in(*) Rec }, {out' (*) Rec } , 

{send(l,*) Trans}, {seild(2, *) Rec }, {send(3,*) Trans}, {out"(*) Rec }, {fix- ZVal R .ec}, {fi'X -bval Trans}- 

State relation: qi and q z are related iff: 

qi.fval = _L iff q^.fval = _L, and similarly for zval', yvaV , zval, bval, bval' , inval(Trans), inval(Rec) and inval2(Trans) . 



Figure 11: Interface, Ifc(Tdp,D) (Part II) 
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2. Iflfc'.fval y^ _L then Ifc .fval = Srctdp-chosenval. 

3. If H.yval ^ _L then H.yval — Src yva i.chosenval. 

4- Iflfd.yvaV ^ _L then Ifc'.yval' = Src yva i' .chosenval. 

5. If H.zval ^ _L then H.fval ^ _L ; H.yval ^ _L and H.zval = H.fval(H.yval). 

6. Iflfc'.zval' y^ _L i/ien Ifc'.zval' = H.zval. 

7. If H.bval j£ _L i/ien H.yval =/= _L and H.bval = B(H.yval). 

8. If Ifc'.bvaV t± _L i/ien Ifc'.bval' = H.bval. 

9. Iflfc'.zval ± _L t/ien Ifc'.yval' ^ _L and Ifc'.bval' ± _L. 

9 Correctness Proof, Case 1: Neither Party Corrupted 

To show correctness, we consider four cases, based on which parties are corrupted. This section is 
devoted to the case where neither party is corrupted, that is, where C = 0, and Sections 10-12 deal 
with the other three cases. 

Theorem 9.1 Let RS be a real-system family for (D,Tdp,C), C = 0, in which the family Adv of 
adversary automata is polynomial-time-bounded. 

Then there exists an ideal-system family IS for C = 0, in which the family Sim is polynomial-time- 
bounded, and such that RS < n eg,pt IS- 

Since C = everywhere in this section, we drop explicit mention of C from now on in the section. 

We begin by expressing each Sinik as a composition of automata. This composition describes 
the particular simulation strategy needed to mimic the behavior of the real system. We define a 
"structured ideal system" SISk to be the composition of this structed simulator with Functk- It is easy 
to see that SIS is an ideal-system family, according to our definition of an ideal system. Moreover, if 
Adv is polynomial-time-bounded, then Sim is also polynomial-time-bounded. It remains to show that 

RS Sineg,pt SIS. 



In order to show that RS < n eg,pt SIS , we use two intermediate families of systems, Intl and Int2. 
These two families of systems are nearly identical; in fact, they differ only in that Intl uses a hard-core 
predicate of a trap-door permutation in situations where Int2 uses random bits. Then the proof breaks 
down into three pieces, showing that RS < ne g,pt Intl , that Intl < ne g, P t Int2, and that Int2 < neg .pt SIS. 
All reasoning about computational indistinguishability and other cryptographic issues is isolated to the 
middle level, the proof that Intl < negtP t Int2. 

To show that Intl < neg .pt Int2, we use results from Section 8. The style of the proof that Intl < n eg, P t 



Int2 is an alternative to the usual "Distinguishcr" arguments from the traditional cryptographic protocol 
literature. Our proof does not contain any arguments "by contradiction" ; instead, it relies on positive 
results about implementation, composition, and hiding. The essential technical ideas that appear in 
the usual Distinguishcr argument still appear in our argument, but in a direct (and systematic) way. 

The proofs that RS < neg .pt Intl and that Int2 implements SIS do not involve cryptographic issues. 
They are reasonably straightforward, using simulation relations of the new kind defined in Section 3.3.8. 

The multi-level structure, with intermediate levels Intl and Int2, is also used for the case where 
C = {R}, that is, where only the Receiver is corrupted. However, it is not needed for the other two 
cases, where C = {T} and where C = {T, R}. 

In the rest of this section, we fix a particular polynomial-time-bounded adversary family Adv. 
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9.1 Simulator structure 

For each k, we define a structured simulator SSirrik, as the composition of the following five task-PIOAs, 
with all send, receive, and rand actions hidden. 

• TR{D kl Tdp k ), an abstract combination of Trans (D k ,T dp k ) and Rec(D k ,Tdp k ,$). 

• (Src(Tdppk)td PP )k, isomorphic to Src(Tdpp k ). 

• (Src({0, 1} -* D k ) zval ) k , isomorphic to Src({0, 1} -> D k ). 

• (Src({0, 1} -» {0, l}) bva i)k, isomorphic to Src({0, 1} -» {0, 1}). 

• Adv k , the same adversary as in -RS^. 

77? has send outputs that are inputs to Adv. Adv's receive outputs are not connected to anything. 
Adv may also interact with the environment, using other inputs and outputs. 

TR{D,Tdp) is defined (for arbitrary parameters D and Tdp) in Figure 12. TR simply acquires, as 
input, a trap-door permutation pair, a pair of D values, and a pair of bits, and sends these in round 1, 
round 2, and round 3 messages respectively. 



TR(D,Tdp): 








Signature: 








Input: 




Output: 




rand(p) tdpp ,p g Tdpp 




send(l, f) Trans, / S Tdp 




rand{z) zval ,z g ({0,1} - 


-£>) 


send(2, «)««., 2 g ({0,1} - 


■D) 


rand(b) bval ,b g ({0,1} - 


-{0,1}) 


send(3, ft) Trans, & S ({0,1} 


-{0,1}) 



State: 

tdpp g Tdpp U {_L}, initially _L 

zuai g ({0, 1}-»D)U {-L}, initially _L 

bval g ({0, 1} -» {0, 1}) U {_!_}, initially ± 



Transitions: 




rand(p) tdpp 
Effect: 




if tdpp = 


_L then tdpp 


rand(z) zval 
Effect: 




if zval = 


_L then zval 


rand(b)bval 
Effect: 




if bval = 


_L then fti>a/ 



send(l,f) Trans 
Precondition: 

tdpp ^ _L, / = tdpp. fund 
Effect: 

none 

send(2, z) Rec 
Precondition: 

z = zval ^ _L 
Effect: 



send(3,6) TT . ans 
Precondition: 

b = b^ai 7^ _L 
Effect: 

none 

Tasks: {rand(*) tdpp }, {rand(*) zval }, {rand(*) bval }, {send(l,*) Tr ans}, {send(2,*) Rer }, {send(3,*) Tr ans}- 

State relation: qi and q^ arc related iff: 

qi.tdpp = _L iff qi-tdpp = _1_, and similarly for zval and bval. 

Figure 12: TR(D,Tdp), for the case where C = 0. 
We define SIS k , the structured ideal system, to be the composition Funct k \\SSim k . 
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Lemma 9.2 In every reachable state of SIS k'- 

1. Advk .messages contains at most one round 1 message, at most one round 2 message, and at most 
one round 3 message. 

2. If Advk .messages contains (1,/) then TR^.tdp = f. 

3. If Advk .messages contains (2,z) then TRk-zval = z. 
4-. If Advk .messages contains (3,6) then TRk-bval = b. 
5. If TR.bval ^ _L then TR.bval — Srcbvai-chosenval. 

Note that an ideal system ISk consists of Functk and some Sinik satisfying the constraints defined in 
Figure 2. By definition, SISk is a specific system consisting of Functk and a particular simulator, SSimk, 
that satisfies those contraints. Therefore, to prove Theorem 9.1, it suffices to prove that RS < ne g.pt SIS. 

9.2 Intl 

We define system Intl k to be the same as SISk except that TR(Dk, Tdpk) is replaced by TR1 (Dk, Tdpk). 
Code for TRl(D,Tdp) appears in Figure 13. TR1 differs from TR as follows: TR1 has input actions 
in(x) Trans , by which it receives transmitter input values directly from the environment. Also, TR1 
does not have an input randf, va r, rather, TR1 calculates bval values using the hard-core predicate B 
and the inverse of the trap-door permutation applied to the zval values, combined with the transmitter 
input values. 

Lemma 9.3 In every reachable state of Intl k- 

1. If TR1 .zval ^= _L then Src zva i-chosenval = TR1 .zval. 

9.3 Int2 

We define Int2k to be the same as SISk except that: 

1. It includes a new random source (5Vc({0, 1} — ► {0, l}) C val)k, which is isomorphic to Src({0, 1} — ► 
{0,1}). 

2. TR(D k ,Td P k) is replaced by TR2(D k ,Tdp k ), where TR2(D,TDp) is identical to TRl(D,Tdp) 
except that: 

(a) TR2 includes an extra state variable cval £ ({0, 1} — > {0, 1}). 

(b) TR2 has input action rand(c) cva i, which sets cval := c. 

(c) The line in fix — bval Trans i n which the bval values are chosen is replaced by the line: 
for i £ {0, 1} do bval{i) := cval{i) © inval(i). That is, instead of calculating the bval values 
using the hard-core predicate, TR2 obtains them by applying © to two bits chosen randomly 
and the actual x inputs. 

The code for TR2(D,Tdp) appears in Figure 14. 

Lemma 9.4 In every reachable state of Int2 k : 

1. If TR2.cval =/: _L then TR2.cval — Src cva i.chosenval . 
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TRl(D,Tdp): 
Signature: 

Input: 

in(x) Trans ,x£ ({0,1} -►{0,1}) 

rand(p)td PP ,P £ Tdpp 
rand(z) zval , z e ({0, 1} -» D) 



Output: 

Send(l, f) Trans, f 6 Tdp 
send{2,z) Rec , ze ({0, 1} -► D) 
send(3,b) Trans, be ({0, 1} — {0, 1}) 

Internal: 

fix - bval Trans 



State: 

inval(Trans) 6 ({0, 1} -» {0, 1}) U {_!_}, initially 

tdpp e Tdpp U {_!_}, initially _L 

zval e ({0, 1} -> D) U {_!_}, initially ± 

bval e ({0, 1} -» {0, 1}) U {_!_}, initially _L 



Transitions: 



in(x) Trans 

Effect: 

if inval(Trans) 



then inval(Trans) := x 



rand(p) tdpp or rand(z) zval 
Effect: 

As for TR(D,Tdp). 



fix - bval Trans 

Precondition: 

icfpp, zt>aZ, inval ^ _L 
b«ai = ± 
Effect: 

for i e {0, 1} do 
bval(i) := 

B(tdpp.inverse(zval(i))) © inv al( Trans) (i) 

send(l,f) Trans, send(2, z) Rec , or send(3, b) TraIls 
Precondition: 

As for TR(D,Tdp). 
Effect: 

As for TR(D,Tdp). 

Tasks: {m(*)Tran S }, {™"id(*)tdp P }, {rand(*) z „ a ;}, {send(l, *) T rans}, {send(2,*) Rcc }, {send(3,*) Tr ans}, 

{fix- bval Trans}- 



State relation: qi and q2 are related iff: 
qi.inval(Trans) = _L iff 52 -inval (Trans) = 



, and similarly for tdpp, zval, and fctiaL 

Figure 13: TRl(D,Tdp), for the case where C 



9.4 i?^ implements Intl 

We show: 

Lemma 9.5 For every k, RSk <o Intlk- 

We prove Lemma 9.5 by choosing an arbitrary environment Env for RSk and Intlk, and estab- 
lishing a simulation relation from RSk\\Env to Intl k\\Env. (See Section 3.3.6 for the definition of an 
environment.) Then we appeal to Theorem 3.54, the soundness result for simulation relations. 

An interesting issue in proving Lemma 9.5 is in reconciling the different ways in which zval gets 
defined in ^5* and Intl . In RS ', the choice is made in two steps, first choosing the yval values randomly 
and then calculating the zval values from the yval values, whereas in Intl , the zval values are chosen 
randomly, in one step. 

We also show the following lemma, which is what we need to put the pieces of the proof together: 

Lemma 9.6 RS < ne g. P t Intl ■ 

Lemma 9.6 does not quite follow from Lemma 9.5. The reason is that the statement of Lemma 9.5 
does not provide us with the needed bound on the growth of the length of the schedules. However, the 
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TR2(D,Tdp): 
Signature: 

Input: 

in(x) Trans ,x£ ({0,1} -►{0,1}) 

rand(p)td PP ,P £ Tdpp 
rand(z) zval , z e ({0, 1} — > D) 
rand(c) cval ,ce ({0, 1} -► {0,1}) 



Output: 

send(l, f) Trans, f 6 Td P 
send(2, z) Rec , z e ({0, 1} — 
send(3,b) Trans, b S ({0,1} 

Internal: 

fix - bval Trans 



D) 
-{0,1}) 



State: 

inval(Trans) e ({0, 1} -» {0, 1}) U {_!_}, initially 

tdpp e Tdpp U {_!_}, initially _L 

zval G ({0, 1} -» D) U {±}, initially _L 

ctrai e ({0, 1} -» {0, 1}) U {±}, initially _L 

bval e ({0, 1} -► {0, 1}) U {_!_}, initially ± 



Transitions: 



in(x) Trans 

EflFect: 

if inval(Trans) = _L then inval(Trans) := x 



rand(p) tdpp or rand(z) zva i 
Effect: 

As for TR(D,Tdp). 



rand(c) cva i 
Effect: 

if cval = 



then cval : 



fix - bvalTrans 

Precondition: 

tdpp, zval, cval, inval ^ _L 

bval = _L 
Effect: 

for i e {0, 1} do 

bval(i) := cval(i) © inval(Trans)(i) 

send(l,f) Trans, send(2, z) Rec , or send(3,b) Tr ans 
Precondition: 

As for TR(D,Tdp). 
Effect: 

As for TR{D,Tdp). 



Tasks: {in(*) Trans} , {rand(*) tdpp }, {rand(*) zvai } , {rand(*) cva i}, {send(l,*) Tr ans}, {send(2,*) Tr ans}, 

{send(3,*) Trans}, {f^ - bval T rans}- 

State relation: q\ and 52 arc related iff: 

qi.inval(Trans) = _L iff q2 -inval (Trans) = _L, and similarly for tdpp, zval, and cval. 

Figure 14: TR2(D,Tdp), for the case where C = 0. 

simulation relation used to prove Lemma 9.5 does indeed guarantee such a bound; in fact, for each step 
of RSk, the step correspondence yields at most two steps of Intlk- 

In the rest of this subsection, we fix Env, an environment for RSk and Intlk- We also suppress 
mention of fc everywhere. 

9.4.1 State correspondence 

Here we define the correspondence R from states of RS\\Env to states of Intl \\Env, which we will show 
to be a simulation relation in Section 9.4.2. 

In this mapping, most of the correspondences between variables are simple and direct. The one 
exception is the correspondences involving the randomly-chosen zval and yval values. Namely, in the 
Intl system, zval is chosen in one step, whereas in the RS system, zval is determined in three steps: 
first, yval is chosen randomly, then communicated to Rec, and then used to compute zval. We choose 
to allow the steps where zval's value is determined to correspond at the two levels. Therefore, the states 
before zval is determined in the Intl system correspond to several kinds of states in the RS system, 
representing the different stages before zval is determined. In particular, before zval is determined in 
the RS system, a distribution on choices of yval in the RS system corresponds to "no choice" in the 
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Intl system. 

Let ei and 62 be discrete probability measures on finite execution fragments of RS\\Env and 
Intl\\Env, respectively, satisfying the following properties: 

1. Trace distribution equivalence: tdist(e\) — tdistfa)- 

2. State equivalence: There exist state equivalence classes Si G RS R s\\Env an d <5*2 G RSi n ti\\Env 
such that supp(lstate(ti)) C Si and supp(lstate(e2)) C SV 

Then we say that (ei, €2) G R if and only if all of the following hold: 

1. For every s G supp(lstate(ei)) and u G supp(l statefa)): 

(a) u.Funct.inval(Trans) = s. Trans. inval. 

(b) u.Funct .inval(Rec) = s.Rec.inval. 

(c) u.TRl .inval(Trans) = s. Trans. inval. 

(d) u. T_R_Z .tdpp = s. Trans .tdpp. 

(e) u.TRl .zval = s.Rec.zval. 

(f) u.TRl .bval = s.Trans.bval. 

(g) u.Srctdpp = s.Srctdpp- 

(h) u.Src zva i.chosenval — s.Rec.zval. 

(i) u.Adv = s.j4c?v. 

That is, the entire state is the same. 

(j) u.Env — s.Env. 

2. For every u G supp(lstate(e2))' 

If u.TRl .zval = _L then one of the following holds: 

(a) For every s G supp(lstate(ei)) , s.Src yva i-chosenval = _L. 

That is, in all the states in the support of Istate(ei), yval has not yet been chosen. 

(b) For every s G supp(lstate(ei)), s.Rec.yval = _L, and lstate(ei).Src yva i.chosenval is the 
uniform distribution on {0, 1} — ► D. 

That is, in all the states in the support of Istate(ei), yval has already been chosen by the 
Srcyvai, but has not yet been output to Rec. Moreover, the values chosen by the Src form a 
uniform distribution. 

(c) lstate(ei).Rec.yval is the uniform distribution on {0, 1} — ► D. 

9.4.2 The mapping proof 

Lemma 9.7 The relation R defined in Section 9.4-1 is a simulation relation from RS\\Env to Intl \\Env. 
Furthermore, for each step of RS\\Env, the step correspondence yields at most two steps of Intl\\Env , 
that is, for every S,T, \corrtasks(S,T)\ < 2. 

Proof. We prove that R satisfies the two conditions in Lemma 3.54. 

Start condition: It is obvious that the Dirac measures on execution fragments consisting of the the 

unique start states s and u of RS\\Env and Intl\\Env, respectively, are i?-related. Property 1 of R 

holds because the state components of s and u on which R depends are all _L. Property 2 of R holds 

because s.Src yva i-chosenval = _L. 

Step condition: We define corrtasks(RSfis\\E nv x RA RS \\ Env ) — * RA* Intl « Env as follows: 

For any (S,T) G (RS RS » Env x RA RS « Env ): 



Gl 

Preliminary version - August 19, 2005 



• If T G {{in{x) Trans}, {in{i) Rec ] , {choose-randtdpp}, {rand t dp P }, {fix-bval Trans }, {send(l, f)Trans}, 
{receive(l, /)i? ec }, {send(2, z) Rec }, {receive(2, z) Trans }, {send(3, b) Trans }, {receive(3, b) Rec }, 

or {out{x) R ec }} , then corrtasks(S,T) = T. 

• If T is an output or internal task of Env or Adv that is not one of the tasks listed above, then 
corrtasks(S,T) = T. 

• If T G {{choose — rand yva {\, {rand yva i}} then corrtasks(S,T) = A (the empty sequence). 



• 



If T = {fix — zval Rec } then corrtasks{S,T) = {choose — rand zva i} {rand zva i}- 



Suppose (£1,62) G R and T is a task of RS\\Env that is enabled in supp(lstate{e\)). Let e^ = 
apply(e\,T) and e 2 = apply(e2,corrtasks([lstate(ei)],T)). 

The state equivalence property for e\ and e 2 and Lemma 3.29 imply the state equivalence property 
for e' x and e 2 ; that is, there exist state equivalence classes Si G RS R s\\Env an d <52 G RS] nt i\\Env such 
that supp{lstate{e' l )) C S"i and supp(lstate(e' 2 )) C S*2. 

Claim 1: 

1. The state of i?nw is the same in all states in supp{lstate{ei)) U supp(lstate(e 2 )); let g^™ denote 
this state of .Env. 

This follows from Property l(j) of i?. 

2. The state of ^4rft) is the same in all states in supp{lstate(e\)) U supp{lstate(t2))] let qAdv denote 
this state of Adv. 

This follows from Property l(i) of R. 
Claim 2: 

1. If T (defined above) is an output or internal task of Env, then 

(a) T is enabled in every state in supp(l statefa)) ■ 

To see this, fix any state u G supp{l statefa)); we show that T is enabled in u. Choose any 
s G supp(lstate(ei)). Since T is enabled in s and T is an output or internal task of Env, T 
is enabled in s.Env. Since, by Claim 1, u.Env — s.Env, T is enabled in u.Env, and hence in 
u, as needed. 

(b) There is a unique action a G T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)). 
By the next-action-detcrminism property for Env, we know that there is a unique action 

a G T that is enabled in qEnv Since T is an output or internal task of Env, a is also the 
unique action in T that is enabled in each state in supp{lstate{ei)) U supp(lstate(e2}) ■ 

(c) There is a unique transition of Env from qEnv with action a; let trEnv = {qEnv, o,, fi Env) be 
this transition. 

This follows from next-transition determinism for Env. 

2. If T is an output or internal task of Adv, then 

(a) T is enabled in every state in supp(lstate(e2))- 
By an argument analogous to the one for Env . 

(b) There is a unique action a G T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2))- 

(c) There is a unique transition of Adv from qAdv with action a; let tfAdv = (q Adv, a, ^ Adv) be 
this transition. 
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We establish the step condition by considering cases based on the value of T. In each case, we first 
show that the sequence of tasks corrtasks([lstate(ei)]],T) is enabled in every state in supp(l state(e 2 )). 
Then we define a probability measure p on an index set /, and for each j G /, two probability measures 
€i • and e' 2 j, on execution fragments of RS\\Env and Intl\\Env respectively. 

The rest of the proof consists of showing, for each j G /, that (e' 1? , eL) G R, and that e\ = 

T,jeiP(i)( e i]) and e 2 = Eje/P(i)(4j)- 

In each case, the two summations will follow easily from the definition of apply(, ) and the definitions 

of p(j), e'ij, and eL, so we will not mention them within the individual cases. More specifically, in each 

proof case, p satisfies one of the following conditions: (1) p is the Dirac measure on / = {1}, (2) p is 

the uniform probability distribution on a finite set / of indices, or (3) p is a probability distribution on 

a countable set / such that, for every j € /, p(j) — h(xj), where fx is a fixed probability distribution 

and Xj is an clement in supp(/i) that is defined within the proof case. Whenever (1) holds, e[ and 

e' 2 are defined to be e' n and e' 21 , respectively, so the summation clearly holds. Whenever (2) holds, 

the first summation follows from the following facts: (a) Each execution fragment a G supp{e'{) is in 

supp(e' 1 A for a unique j; for every f ^ j, e^ -,(a) = 0. (b) For each execution fragment a G supp^e^), 

e'^a) = p(J)e' 1 Aa) for the unique j in property (a); this is because apply(,) causes a choice from a 

uniform distribution and because of the way e' l7 is defined. The second summation holds for similar 

reasons. The reasoning for case (3) is similar to that for case (2), but using /i instead of the uniform 

distibution. 

To show that (e[ , e' 2 A G R, we must establish Properties 1 and 2 of the definition of R for e^ • and 

e' 2 :. We must also show the trace distribution equivalence and state equivalence properties for e' l7 - and 

The state equivalence property follows for a generic reason: As noted above, there exist state equiva- 
lence classes S\ G RSns\\Env an d £2 G RSj nt i \\Env such that supp(lstate(e[)) C S\ and supp(lstate(e' 2 )) C 
S 2 . Since supp(e[j C supp(e' 1 ) and supp(e 2 j C supp(e 2 ), it follows that supp(lstate(e' 1 j)) C S\ and 
supp(lstate(e 2 A) C S 2 . This implies state equivalence for e' l7 - and e 2 -. Thus, we will not mention the 
state equivalence property within the individual proof cases. 

We now proceed to consider the proof cases. 

1. T = {l7l(x) Trans} ■ 

Since T is an output task of Env, Claim 2 implies that T is enabled in every state in supp(lstate(e 2 )) , 
that there is a unique action a G T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e 2 )), 
and that there is a unique transition trg„„ = (qEnvt a i HEnv) of Env from qEnv with action a. Here, 
a = in{x) Trans for a particular value of x. 

Next, we define the probability measures needed to show the step correspondence. Suppose that 
supp(^iEnv) is the set {qj : j G 1} of states of Env, where J is a countable index set. Let p be 
the probability measure on index set / such that, for each j G /, p(j) = fJ,Env{Qj)- For each 
j G /, we define probability measure e' 1? as follows. The support supp{e' x A is the set of execution 
fragments a G supp{e' 1 ) such that lstate(a).Env = qj. For each a G supp{e' 1 A of the form a' a qj, 
let e'ij(a) = ei(a'). We define eL analogously from e' 2 . 

Now fix j G /; it remains to show that (e[ •, e 2 -) G R. To do this, we establish Properties 1 and 2 
of the definition of R for e' 2 and e 2 -, and show trace distribution equivalence for e' l7 - and e' 27 -. 

To establish Property 1, consider any states s' G supp(lstate(eiA) and v! G supp(lstate(e 2 A) . Let 
s be any state in supp{lstate{€\)) such that s' G supp(fi s ) where (s,a,[i s ) G Dns\\Env Similarly, 
let u be any state in supp(lstate{e 2 )) such that u' G supp{[i u ) where (u,a,fi u ) G D Intl \\ E nv 

If s. Trans. inval =/= _L then by Properties 1(a) and 1(c), u. Fund. inval (Trans) 7^ _L and u. TR 1 .inval(Trans) 7^ 
_L. In this case, task T has no effect on any component other than Env, in cither system. Since 
s' .Env = q.j = u' .Env by definition, it is easy to see that Property 1 holds for s' and u' , and 
hence, for e\ and e' 2 . 

Now suppose that s. Trans .inval = _L. Then again by Properties 1(a) and 1(c), u. Fund, inval (Trans) = 
u.TRl .inval(Trans) = _L. Then by the definitions of RS and Intl , we know that application of 
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T updates Trans.inval in the RS system, and Fund. inval{ Trans) and TR1 .inval(Trans) in the 
Intl system. It also updates the state of Env in both systems. 

We know by Property 1(a) that u.Fund.inval(Trans) — s. Trans.inval, by Property 1(c) that 
u.TRl .inval(Trans) = s. Trans.inval, and by Property l(j) that u.Env = s.Env. By the ef- 
fects of T in the definitions of Trans, Fund, and TR1 , we know that v! .Fund.inval(Trans) = 
s' .Trans.inval, and u' .TR1 .inval{ Trans) = s' .Trans.inval; hence, Properties 1(a) and 1(c) hold 
for s' and vl . We also know that Property l(j) holds for s' and vl by definition of e[ ■ and eL: 
in both s' and v! , the state of Env is qj. Since no state component other than Trans.inval and 
Env in the RS system, and Fund.inval(Trans), TR1 .inval(Trans), and Env in the Intl system, 
is updated by the application of T, we conclude that Property 1 holds for s' and u' , and hence, 
for e[ J and e' 2j . 

To establish Property 2, consider any state u' G supp(lstate(e' 2 A) such that v! .TR1 .zval = _L. 
We need to show that one of the following holds: 

(a) For every s' G supp(Zstaie(e' 1 ■)), s' .Src yva i.chosenval = _L. 

(b) For every s' G supp{lstate{e' 1 :)), s' .Rec.yval — _L, and lstate{e' 1 A .Src yva i.chosenval is the 
uniform distribution on {0, 1} — ► D. 

(c) lstate(t'ij) .Rec.yval is the uniform distribution on {0, 1} — ► D. 

Let u be any state in supp(lstate(e 2 )) such that v! G supp(/j, u ) where (u,a,fj, u ) G Dj ntl \\E nv . By 
the effects of T, we know that u.TRl .zval = u'.TRl .zval = _L. Then, by Property 2 for u, one 
of the following holds: 

(a) For every s G supp(lstate(ei)), s.Src yva i.chosenval = _L. 

(b) For every s G supp(lstate(e{)), s. Rec.yval — _L, and lstate{t\).Src yva i.chosenval is the 
uniform distribution on {0, 1} — > D. 

(c) Istate(ei) . Rec.yval is the uniform distribution on {0, 1} — ► D. 

If (a) holds for ei and u, then consider any s' G supp{lstate{e' 1 A). Let s be any state in 
supp{lstate{ti)) such that s' G supp(fi s ) where (s,a,[i s ) G -D_Rs||£m,- We have by (a) that 
s. SrCy Va i.chosenval = _L. By definition of the effects of T, s' ' .Src yva i-chosenval = s.Src yva i-chosenval 
_L, and so (a) holds for e'y and it'. 

If (b) holds for e\ and u, then consider any s' G supp(lstate(e' 1 •)). Let s be any state in 
supp{lstate{ti)) such that s' G supp([i s ) where (s,a,^, s ) G Cflsiisn-y We have by (b) that 
s.Rec.yvalJL. By the effects of T, s' .Rec.yval — s. Rec.yval = _L, so the first part of (b) holds. For 
the second part of (b), recall that we have defined e^ • in such way that for each a G supp(e[A, 
where a is of the form a' aqj, we have c\Aa) = ei(a'). Since T transitions do not affect the value 
of Src yva i-chosenval, we have that lstate{e' 1 :).Src yva i.chosenval — lstate(ei).Src yva i.chosenval, 
and so (b) holds for e' l7 - and u'. 

If (c) holds for ei and u, then we argue as for the second part of (b), using the fact that T 
transitions do not affect Rec.yval. Thus, (c) holds for e[ ■ and u'. Therefore, in all cases, Property 
2 holds for e[, and u' , and hence for e^ and e' 2 ,. 

Finally, we show that tdist(e[j) = tdist(e 2 A. Since e^,- and e' 2 j are derived from e' x and e 2 by 
apply{,) and a is the unique action in T that is enabled in all states in supp(ei) U supp(e 2 ), 
we know that each trace in supp(tdist(e[A) is of the form /3i a, where /3i G supp{tdist{e\)) , 
and each trace in supp(tdist(e' 2 A) is of the form (3 2 a, where (3 2 G supp{tdist{e 2 )) . In fact, 
tdist{e' 1: :){l3i a) = tdist{e\){(3\) and tdist(e' 2 Mf3 2 a) = tdist{e 2 ){f3 2 ) . Since tdist(e) 1 = tdist(e 2 ), 
we have tdist(e[A = tdist(e 2 A, as needed. 

2. T= {m(i) flec }. 
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Since T is an output task of Env, Claim 2 implies that T is enabled in every state in supp(lstate(e2)), 
that there is a unique action a € T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition trEnv — (lEnv, a, IJ>Env) of Env from qEnv with action a. Here, 
a = in{i)ji cc for a particular value of i. 

The rest of the proof for this case follows the proof for T = {in(x) Trans} ■ The only difference 
is that, in showing Property 1 for e\, and eL, for a fixed j, we use the fact that application of 
T affects only Rec.inval and Env in the RS system, and Funct .inval(Rec) and Env in the Intl 
system, and use Properties 1(b) and l(j) instead of Properties 1(a), 1(c), and l(j). 

T = {choose — randtdpp}- 

We first show that T is enabled in every state in supp{lstate{e 2 )). Thus, fix any state u G 
supp(lstate(e2)); we show that T is enabled in u. Choose any s G supp{lstate{ei)). Since T is 
enabled in s and T is an internal task of Srctdpp, T is enabled in s.Srctdpp- The precondition of T 
in the definition of Src t dp P implies that s.Src t d P p-chosenval = _L. By Property 1(g), u.Src t d PP — 
s.Srctdpp- So, T is enabled in u.Srctdpp, and hence in u, as needed. 

Next we define the probability measures needed to show the step correspondence. Let p be the 
uniform probability measure on the index set I = {1 • • • r} where r — \Tdp\; that is, p(j) = 1/r 
for each j G /. For each j G /, we define probability measure e' l7 - as follows. The support 
supp(e'ij) is the set of execution fragments a G supp(ei) such that lstate(a).Srctdpp-chosenval 
is the jth element in domain Tdp (in some enumeration). For each a G supp(e[A of the form 
a' choose — randtdpp Q, let e'-^Aa) = ei(a'). We define e' 2 j analogously from e' 2 - 

Now fix j G /; we show that (e^ , e' 2 A G R. To do this, we establish Properties 1 and 2 of R for 
e[; and eL, and show trace distribution equivalence for e' 1? - and eL. 

To establish Property 1, consider any states s' G supp(/staie(e' 1 ■)) and u' G supp(lstate(e' 2 j))- 
By definitions of e^ ■ and e^,-, we know that u' .Srctdpp-chosenval = s' .Srctdpp-chosenval. Hence, 
Property 1(g) holds for s' and v! . Since no component other than Srctdpp-chosenval is updated 
by the application of T, we conclude that Property 1 holds for s' and u' , and hence, for e[ and e 2 . 

The proof for Property 2 is similar to the corresponding part of the proof for T = {in(x) Trans} ■ 
For trace distribution equivalence, we must show that tdist(e[A — tdist(e 2 A. Since e\ • and e 2 ; are 
derived from t\ and e 2 by apply(, ) and the actions that are enabled in states in supp(ei)L) supp{e 2 ) 
are internal, tdist(e\j) = tdist(ei) and tdist(e2j) = tdist(€ 2 ). Since tdist(e)i — tdist(e 2 ), we have 
tdist(eij) — tdist(e 2 j), as needed. 

T = {rand(p)td P p}- 

We first show that T is enabled in every state in supp{lstate(e 2 )). Thus, fix any state u G 
supp(lstate(e2)); we show that T is enabled in u. Choose any s G supp{lstate{ei)). Since T is en- 
abled in s and T is an output task of Src t d PP , T is enabled in s.Src t d PP and so s.Src t dp P -chosenval ^ 
_L. By Property 1(g) for s and u, u.Srctdpp = s.Srctdpp- So, T is enabled in u.Srctdpp, and hence 
in u, as needed. 

We show that there is a unique action a G T that is enabled in every state in supp{lstate(ei)) U 

supp(lstate(e 2 )), as in the proofs for Claim 1 and Claim 2. Here, we use Property 1(g) instead of 

!(.])■ 

The probability measures for this case are trivial: Let / be the singleton index set {1}, let p be 

the Dirac measure on 1, and let e' n = t\ and e' 21 = e' 2 . To show that (e'i,e 2 ) G R, we establish 

Properties 1 and 2 of i? for e\ and e 2 , and show trace distribution equivalence for e^ and e 2 . 

To establish Property 1, consider any states s' G supp{lstate{e' l )) and w' G supp(lstate(e 2 )) . Let 
s be any state in supp(lstate(ei)) such that s' G supp{fx s ) where (s,a, /i s ) € £>flS||B™- Similarly, 
let u be any state in supp(lstate{e 2 )) such that v! G supp(p u ) where (u,a,jj, u ) G -D/nti || Env • 

By definitions of RS and JnW we know that application of T updates Trans. tdpp in the RS system, 
and TR1 .tdpp in the Intl system. We know by Property 1(d) that u.TRl .tdpp = s.Trans.tdpp. 
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By the effects of T in Trans and TR1 , we know that v! .TR1 .tdpp = s' .Trans. tdpp; hence, Property 
f(d) holds. Since no component other than Trans. tdpp in the RS system and TR1 .tdpp in the 
Intl system is updated by the application of T, we conclude that Property 1 holds for s' and vf ', 
and hence, for e[ and e 2 . 

The proofs for Property 2 and trace distribution equivalence arc similar to the corresponding parts 
of the proof for T = {in{x) Trans] , using e[ and e' 2 instead of e[ • and e 2 -. 

T = {choose — randy Va i}. 

Here, a random choice is made in the RS system but not in the Intl system. Since corrtasks([lstate(ei)] , T) 
= A, no enabling condition needs to be shown. Also, we have e 2 = £2- 

Let p be the Dirac measure on the single index 1 and let e' n = e[ and e' 21 = e 2 . To show that 
(e'l,^) € R> we establish Properties 1 and 2 of R for e[ and e' 2 , and show trace distribution 
equivalence for e\ and e' 2 . 

To establish Property 1, consider any states s' £ supp{lstate{e' 1 )) and v! £ supp(l state(e 2 )) . Since 
e 2 = e 2, we know that vf £ supp(lstate(e2})- Let s be any state in supp(lstate(e\)) such that 
s' £ supp(n s ) where (s, choose — rand yva i, /x s ) <E -DijsiiEn,,- We know that Property 1 holds for 
s and it'. Observe that the application of T updates only the s.Src yva i.chosenval component in 
the RS system and the application of A leaves vf unchanged. Since Property 1 does not mention 
SrCyvai-chosenval , we conclude that Property 1 holds for s' and vf , and hence, for e[ and e' 2 . 

To establish Property 2, consider any state vf £ supp(lstate(e' 2 )) such that v! .TR1 .zval — _L. We 
show that Property 2(b) holds; that is, we show that for every s' G supp(lstate(e' 1 )), s'.Rec.yval = 
_L, and lstate(e' 1 ).Src yva i.chosenval is the uniform distribution on {0, 1} — > D. 

Consider any s' e supp{lstate(e' 1 )) . Let s be any state in supp(lstate(e\)) such that s' € supp(fi s ) 
where (s, choose — rand yva i, (J, s ) £ Drsheuv Since choose — rand yva i is enabled in s, we know that 
s.SrCy Va i.chosenval — _L. Therefore, by Lemma 6.3, s.Rec.yval — _L. Since T does not update 
Rec.yval we have s' .Rec.yval = _L. Hence, the first part of 2(b) holds. 

For the second part of 2(b), the effects of T imply that Src yva i-chosenval is chosen according to 
the uniform probability distribution on domain {0,1} — ► D. So, lstate{e' 1 ).Src yva i.chosenval is 
the uniform distribution on {0, 1} — > £>, as needed. 

The fact that tdist(e[) — tdist(e' 2 ) follows from the fact that tdist(e\) = tdist(e2) and the 
definitions of e' x and e' 2 . 

T = {rand(y) yva i\. 

Here, a step is taken in the RS system but not in the Intl system. Since corrtasks([lstate(ei)], T) = 
A, no enabling condition needs to be shown, and e' 2 = €2- 

Next, we define the probability measures. Let / be the singleton index set {1}, let p be the Dirac 
measure on 1, and let e' n = e[ and e' 21 = e' 2 . To show that (e' 1; e' 2 ) £ R, we establish Properties 1 
and 2 of R for e[ and e 2 , and show trace distribution equivalence. 

To establish Property 1, consider any states s' £ supp(lstate(e' 1 )) and u' £ supp(lstate(e' 2 )). Since 
e' 2 = £2, we know that v! £ supp(lstate(t2)). Let s be any state in supp(lstate(e\)) such that 
s' £ supp(fj, s ) where (s,rand(y) yva i, fi s ) £ Drsheuv an d y — (s.Src yva i.chosenval). We know that 
Property 1 holds for s and v! . Observe that the application of T updates only the s.Rec.yval 
component in the RS system and the application of A leaves v! unchanged. Since Property 1 does 
not mention Rec.yval, we conclude that Property 1 holds for s' and v! ', and hence, for e[ and e 2 . 

To establish Property 2, consider any state v! £ supp(lstate(e' 2 )) such that v! .TR1 .zval — _L. We 
show that Property 2(c) holds; that is, we show that I state{e' 1 ). Rec.yval is the uniform distribution 
on {0, 1}^D. 

Since vf £ supp{lstate{e2)), we know that Property 2 holds for v! and ei. However, 2(a) cannot 
hold because T is enabled in supp(lstate(e\)), so either 2(b) or 2(c) must hold for v! and e\. If 2(b) 
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holds for u' and e\, then consider any s' G supp{lstate{e' 1 )). Let s be any state in supp(lstate(ei)) 
such that s' G supp(fj, s ) where (s,rand(y) yva i,^ s ) G -Dkskb™ and y = s.Src yva i-chosenval. We 
know that s.Rec.yval = _L and lstate{e\) .Src yva i.chosenval is the uniform distribution on {0, 1} — ► 
£). Then, by the effects of T and the definition of e[, s' .Rec.yval ^ _L and I state{e' 1 ). Rec.yval is 
the uniform distribution on {0, 1} — > D, and hence 2(c) holds for u' and e' 1; as needed. 

On the other hand, if 2(c) holds for v! and e 1; then we know that Istate(ei). Rec.yval is the uniform 
distribution on {0, 1} — > D. Since the application of T affects Rec.yval only if it is _L, we know 
that Istate(ei). Rec.yval — lstate(e\). Rec.yval. Therefore, in this case 2(c) holds for v! and e' 1; as 
needed to show Property 2. 

The fact that tdistic^) — tdist(e 2 ) follows from the fact that tdist(ei) = tdistfa) and the 
definitions of e[ and e 2 . 

T = {fix - zval Rec }. 

Here, a deterministic step in the RS system maps to a random choice in the Intl system. We first 
show that the sequence of tasks {choose — rand zva i} {rand zva {\ is enabled in supp(lstate(e2)). 
First, consider any state u G supp(lstate(e2))] we show that {choose — rand zva i} is enabled in 
u. Choose any s G supp(lstate(ei)). Since T is enabled in s and T is an internal task of Rec, 
T is enabled in s.Rec. By the precondition of the fix — zvaln ec action in Rec, we know that 
s.Rec.zval = _L. By Property 1(h) for s and u, u.Src zva i.chosenval = _L. So, {choose — rand zva i} 
is enabled in u, as needed. 

Now, let e'2 be the measure apply(e2, {choose — rand zva {\). We claim that {rand(z) zva {\ is en- 
abled in supp(lstate(e , 2))- Consider any state u" G supp(lstate(e'2)). By the effect of {choose — 
rand zva i}, we know that u" .Src zva i.chosenval 7^ _L, which is the only precondition on actions in 
{rand(z) Z vai}- Thus, {rand{z) zva {\ is enabled in supp^lstate^)) , as needed. 

Next, we claim that lstate(e\). Rec.yval is the uniform distribution on {0, 1} — ► D. To see this, 
consider any pair of states s G supp{lstate{e\)) and u G supp(l stated)) ■ Since s.Rec.zval = _L, 
by Property 1(e), we have u.TRl .zval = _L. Then by Property 2 for u and ei, we know that one 
of the following holds: 

(a) s.Src yV ai-chosenval = _L. 

(b) s.Rec.yval — _L and lstate(ei) .Src yva i .chosenval is the uniform distribution on {0, 1} — > D. 

(c) Istate(ei) . Rec.yval is the uniform distribution on {0, 1} — ► D. 

However, since T is enabled in supp(lstate(ei)), we know that s.Rec.yval ^ _L, so (b) can- 
not hold. Using Lemma 6.3, we see that also (a) cannot hold. Therefore, (c) holds; that is, 
I state(ei). Rec.yval is the uniform distribution on {0, 1} — > D, as needed. 

Next, we show that lstate(e[).Rec.zval is the uniform distribution on {0, 1} —> D: By Property 
1(b), Rec.inval is the same in all states in supp{lstate(e\)). By Lemma 6.4 5(b) and Property 
1(d), Rec.tdp is the same in every state in supp(lstate(ei)). The effect of a fix — zvaln ec action 
gives Rec.zval(inval) — tdp(yval(inval)) and Rec.zval{l — inval) — yval(l — inval) where tdp 
is a permutation. Thus, since I state(e±). Rec.yval is the uniform distribution on {0,1} — ► D, it 
follows that Istate(e'i). Rec. zval is also the uniform distribution on {0, 1} — ► D. 

Next, we define the probability measures needed to show the step correspondence. Let p be the 
uniform probability measure on the index set / = {1 • • • r} where r = |{0,1} — > D\ = \D\ 2 . That 
is, p(j) = l/r for each j G /. For each j G /, we define probability measure e^ as follows. The 
support supp(e'ij) is the set of execution fragments a G supp{e' 1 ) such that lstate{a).Rec.zval is 
the jth element of the domain {0, 1} — > D. For each a G supp{e' 1 A of the form a' fix — zvaln ec q, 
let e[j(a) = e\{a!). Similarly, we define probability measure e' 2 , as follows. The support supp{e' 2 j) 
is the set of execution fragments a G supp{e' 2 ) such that lstate(a).TRl .zval is the jth element of 
the domain {0, 1} — » D. For each a G supp(e 2 j) of the form a' choose — rand zva i q rand zva iq' , let 
e' 2j (a) = e 2 (a'). 
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Now fix j G /; we show that (e' l7 , e' 2 j) G R- To do this, we establish Properties 1 and 2 of R for 
e'j ■ and ef, , an d show trace distribution equivalence for e' l7 - and e(, . 

To establish Property 1, consider any states s' G s upp (£ state (e^ -)) and w' G supp(lstate(e 2 A) . By 
definitions of -RS" and /ni-Z, we know that application of T updates Rec.zval in the i?,? system 
and application of the sequence {choose — rand zva i} {rand zva {\ updates Src zva i .chosenval and 
TR1 .zval in the Intl system. We show that Properties 1(e) and 1(h) hold for u' and s' . 

Property 1(e) follows from the definitions of e^ and e' 2 j', both actions give the same element of 
the domain {0,1} — > D when projected onto Rec.zval and TR1 .zval. For Property 1(h), we 
use the fact that u' .TR1 .zval = s' .Rec.zval, and we observe in addition that if u' .TR1 .zval ^ 
_L, then v! .TR1 .zval = v! '.Src zva i .chosenval, by Lemma 9.3. Since no state component other 
than Rec.zval in the RS system is updated by the application of T, and no state component 
other than TR1 .zval(Trans) and Src zva i .chosenval is updated by the application of {choose — 
rand zva i} {rand zva i} in the Intl system, we conclude that Property 1 holds for s' and v! , and 
hence, for e\ and e' 2 . 

Property 2 holds trivially in this case since for any state v! G supp(lstate(e' 2 A), we have u' .TR1 .zval ^ 
_L by definition of eL. 

The fact that tdist(e\j) — tdist(e' 2 A follows from the fact that tdist{e\) = tdist(e 2 ) and the 
definitions of e' l7 - and ef, . 

8. T = {fix - bval Trans } 

We first show that T is enabled in every state in supp(lstate(e 2 )). Fix any state u G supp(lstate(e 2 )); 
we show that T is enabled in u. Choose any s G supp(lstate(e\)). Since T is enabled in s and T 
is an internal task of Trans, T is enabled in s. Trans, and s. Trans. zval ^ _L, s.Trans.tdpp 7^ _L, 
s.Trans.inval =/= _L, and s.Trans.bval = _L. By Property 1(c), u.TRl .inval(Trans) — s.Trans.inval ^ 
_L. By Property 1(d), u.TRl .tdpp = s.Trans.tdpp ^ _L. By Lemma 6.4 7(b), s. Rec.zval ^ _L, and 
by Property 1(e), u.TRl .zval = s. Rec.zval ^ _L. Finally, by Property 1(f), u.TRl .bval = _L So, 
T is enabled in u. TR1 , and hence in u, as needed. 

Let I be the singleton index set {1}, let p be the Dirac measure on 1, and let e' n = e[ and e' 21 = e 2 . 
To show that (ei,e' 2 ) G R, we establish Properties 1 and 2 of R for e^ and e' 2 , and show trace 
distribution equivalence for e[ and e' 2 . 

To establish Property 1, consider any states s' G supp{lstate{e' 1 )) and u' G supp(lstate(e 2 )). 
Let s be any state in supp{lstate{e\)) such that s' G supp(/i s ), where (s, fix — bv al Trans, Ms) <= 
-D.rs||.e7m;- Similarly, let u be any state in supp(lstate(e 2 )) such that w' G supp([i u ), where (u, fix— 

bvalTrans, fJ-u) € ^ Intl\\Env 

By definitions of ^5* and /nii we know that application of T updates Trans. bval in the RS 
system and TR1 .bval in the Intl system. By the effects of T in the two systems, we know that 
u! .TR1 .bval = s' .Trans. bval; hence, Property 1(f) holds. Since no state component other than 
Trans.bval in the RS system, and TR1 .bval in the Intl system is updated by the application of 
T, we conclude that Property 1 holds for s' and u' , and hence, for t\ and e 2 . 

To establish Property 2, consider any state u' G supp(lstate(e' 2 )). We show that u'.TRl .zval ^ _L, 
and therefore Property 2 of R holds trivially. Let u be some state in supp(lstate(e 2 )) such that 
u! G supp(u u ) where (u, fix — bvalTrans, £*«) G D Intl \\ Env . Since T is enabled in u, we know that 
u. TR1 .zval 7^ _L. By the effects of T, we know that u' . TiJJ .zwa/ = u. Ti?i .zwa/ 7^ _L, as claimed. 

The fact that tdist(e[) — tdist(e' 2 ) follows from the fact that tdist(e 1 ) = tdist(e 2 ) and the 
definitions of e' x and e 2 . 

9. T= {send(l, f) Trans}- 

We first show that T is enabled in every state in supp(lstate(e 2 )). Fix any state u G supp(lstate(e 2 )); 
we show that T is enabled in u. Choose any s G supp(lstate(ei)) . Since T is enabled in s and T 
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is an output task of Trans, T is enabled in s. Trans, and so s.Trans.tdpp ^ _L. By Property 1(d), 
u.TRl .tdpp = s.Trans.tdpp. So, T is enabled in u.TRl , and hence in u, as needed. 

Next, we show that there is a unique action a € T that is enabled in every state in supp(lstate(ei))U 
supp{lstate{e 2 )). We know by Property 1(d) that variables Trans.tdpp and TRl.tdpp have the 
same unique value in all states in supp(lstate(ei)) U supp{lstate{e 2 )). Since the parameter / in 
send(l, /) Trans is defined to be Trans. tdpp. fund, we conclude that the action send(l, Trans. tdpp. f unci) 
is the unique action in T that is enabled in every state in supp{lstate{ei)) U supp{lstate{e 2 )). We 
use a to refer to send{\, Trans. tdpp. funct) in the rest of the proof for this case. 

Let / be the singleton index set {1}, let p be the Dirac measure on 1, and let e' n = e[ and e' 21 = e 2 - 
To show that (e^e^) <= R, we establish Properties 1 and 2 of R for t\ and e 2 , and show trace 
distribution equivalence for e[ and e 2 . 

To establish Property 1, consider any states s' G supp(lstate(ei)) and u' G supp{lstate{e' 2 )) . Let 
s be any state in supp{lstate{ei)) such that s' G supp(u s ) where (s,a,u s ) G D R s\\Env- Similarly, 
let u be any state in supp{lstate{e 2 )) such that u' G supp(/i u ) where (u,a,u u ) G D Intl » Env . 

By definitions of .RS* and /nii we know that application of T updates only Adv .messages in both 
the RS and Intl systems. By Property l(i), u.Adv — s.Adv. It is obvious that u' .Adv — s' .Adv 
and that l(i) holds, since Adv is the same automaton in both systems. Since no component other 
than Adv .messages is updated, we conclude that Property 1 holds for s' and u' ', and hence, for 
e' x and e' 2 . 

The proofs for Property 2 and trace distribution equivalence are similar to the corresponding parts 
of the proof for T = {in(x) Trans} ! using e' x and e' 2 instead of e' l7 - and e 2 j- 

10. T = {send(2,z) Rec }. 

We first show that T is enabled in every state in supp{lstate{e 2 )). Fix any state u G supp{lstate{e 2 )); 
we show that T is enabled in u. Choose any s G supp{lstate{ei)). Since T is enabled in s and T 
is an output task of Rec, T is enabled in s.Rec, and therefore s.Rec.zval ^ _L. By Property 1(e), 
u.TRl .zval = s.Rec.zval ^= _L. So, T is enabled in u.Rec, and hence in -u, as needed. 

Next, we show that there is a unique action a G T that is enabled in every state in supp(lstate(ei))U 
supp(lstate(e 2 )). We know by Property 1(e) that variables Rec. zval and TR1 .zval have the same 
unique value in all states in supp(lstate(ei)) U supp(lstate(e 2 )), and there is a unique action 
a G T that is enabled in every state in supp(lstate(ei)) U supp{lstate{e 2 )). Note that here a is 
send(2, z)n ec for a fixed value of z. 

The rest is identical to the proof for T — {send(l, f) Trans}- 

11. T = {send(3,b) Trans }. 

The proof that T is enabled in every state in supp(lstate(e 2 )) is analogous to the corresponding 
part of the proof for T = {send(l, /) Trans}, using Property 1(f) instead of 1(d). 

We also show that there is a unique action a G T that is enabled in every state in supp(lstate(ei))U 
supp{lstate{e 2 )), arguing as in the case for T — {send(l, /) Trans}- Here, the unique action is 
determined by fixing the value of parameter b to the value of variables Trans. bval and TR1 .bval, 
which is the same in every state in supp{lstate{ei)) U supp{lstate(e 2 )). 

The rest of the proof is identical to the proof for T = {send(l, f) Trans}- 

12. T = {receive(l,f) Rec }. 

Since Tis an output task of Adv, Claim 2 implies that T is enabled in every state in supp{lstate{e 2 )), 
that there is a unique action a G T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e 2 )), 
and that there is a unique transition tr Adv — {oAdv, a, I^Adv) of Adv from qAdv with action a. Here, 
a is receive(\, f)n ec for a fixed value of /. 
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The rest is similar to the proof for T = {send(l, /) Trans}- The only difference is that in showing 
that Property 1 holds, we use the fact that application of T updates only Rec.tdp in RS and that 
R does not depend on this component. 

13. T = {receive(2,z) Trans}- 

Since Tis an output task of Adv, Claim 2 implies that T is enabled in every state in supp(l statefa)), 
that there is a unique action a € T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition trAdv = {lAdvi a > I 1 Adv) of Adv from qAdv with action a. Here 
a is receive(2, z) Trans for a fixed value of z. 

The rest of the proof differs from the proof for T = {receive(l, f)n ec } only in showing that 
Property 1 holds; here we use the fact that the application of T updates Trans. zval only, which 
has no effect R. 

14. T — {receive^, b) Rec }. 

Since Tis an output task of Adv, Claim 2 implies that T is enabled in every state in supp(l statefa)), 
that there is a unique action a G T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition tr Adv = (<iAdvi a , I 1 Adv) of Adv from qAdv with action a. Here 
a is receive(3, b)n ec for a fixed value of b. 

The rest of the proof differs from the porof for T = {receive(l, f)n ec } only in showing that 
Property 1 holds; here, we use the fact that the application of T updates Rec.outval only, which 
has no effect on R. 

15. T = {out(x) Rec }. 

We first show that T is enabled in every state in supp(lstate(t2))- So, fix any state u G 
supp{lstate(e2))', we show that T is enabled in u. Note that T is an output task of Fund in the 
Intl system. Choose any s G supp(lstate(ei)). Since T is enabled in s and T is an output task 
of Rec in RS, T is enabled in s.Rec and s. Rec.outval ^ _L. Then, by Lemma 6.4 10(b), we know 
that s. Rec.outval = s.Trans.inval(s. Rec.inval) ^ _L. By Property 1(a), u.Funct.inval(Trans) = 
s. Trans. inval and by Property 1(b) u.Funct.inval(Rec) = s.Rec.inval. Therefore, we have that 
u.Funct.inval(Trans) ^ _L and u.Funct.inval(Rec) ^ _L. So, T is enabled in u.Funct, and hence 
in u, as needed. 

Next, we show that there is a unique action a € T that is enabled in every state in supp(lstate(ei))U 
supp(lstate(e2))- We know by Property 1(a) that Trans .inval is the same in all states in supp(lstate(ei)) 
and by Property 1(b) that Rec.inval is the same in all states in supp(lstate(e\)). Since T is en- 
abled in supp{lstate{e\)), we know by the precondition of actions in T and by Lemma 6.4 10(b) 
that out(s. Trans. inval (s.Rec. inval)) is the unique action in T that is enabled in supp(lstate{e\)). 
We use a to refer to out(s. Trans. inval(s. Rec.inval)) in the rest of the proof for this case. Similarly, 
by Property 1(a) we know that Fund. inval (Trans) is the same in all states in supp(lstate(e2)) 
and is equal to Trans.inval. By Properties 1(b) we know that Fund. inval (Rec) is the same in 
all states in supp(lstate(e2)) and is equal to Rec.inval. Hence, a is also the unique action that is 
enabled in supp(lstate(e2)), and thus in supp(lstate(ei)) U supp(l state^)), as needed. 

Then next-transition determinism for Env implies that there is a unique transition of Env from 
QEnv with action a. Let trsnv = (QEnv,a, jJ-Env) be this unique transition. 

Next we define the probability measures needed to show the step correspondence. Suppose that 
supp(/iEnv) is the set {qj : j G 1} of states of Env, where I is a countable index set. Let p be 
the probability measure on the index set / such that, for each j £ I, p(j) = HEnv(<lj)- For each 
j G /, we define probability measure e^ • as follows. The support supp(e' 1 A is the set of execution 
fragments a G supp(e[) such that lstate(a).Env = qj. For each a G supp(e' 1 A of the form a' a qj, 
let e[Jct) = ei(a'). We define eL analogously from e' 2 . 

Now fix j G /; we show that (e'y, e' 2 A G R. To do this, we establish Properties 1 and 2 of R for 
e' 1? - and e' 2 j, and show trace distribution equivalence for e' l7 - and e' 2 j- 
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To establish Property 1, consider any states s' G supp(l state(e\j)) and v! G supp(lstate(e' 2 j)). Let 
s be any state in supp(lstate(ei)) such that s' G supp(fi s ) where (s,a, /i s ) G Dfis\\Env Similarly 
let u be any state in supp(lstate(e 2 )) such that v! G supp(n u ) where (u, a, fx u ) G ^intiWEnv 

By the definitions of the RS and /nii systems, we know that application of T does not update 
any state component of RS or Intl ; however, it may update the state of Env in both systems. 
Since Property 1 holds for s and u, we know that all the parts of Property 1 except possible for 
l(j) also hold for s' and u' . We also know that l(j) holds for s' and vl by definition of e' x and 
e' 2 j'. in both s' and v! ', the state of Env is qj. Thus, Property 1 holds for s' and u', and hence, for 
e' x and e' 2 . 

The proofs for Property 2 and trace distribution equivalence are similar to the corresponding parts 
of the proof for T = {in(x) Trans} ■ 

16. T is an output task of Env and an input task of Adv. 

Since T is an output task of Env, Claim 2 implies that T is enabled in every state in supp(lstate(t2)), 
that there is a unique action o G T that is enabled in every state in supp(lstate(ei))\Jsupp(lstate(t2)), 
and that there is a unique transition tr^nv = (qEnv, a , t^Env) of Env from qEnv with action a. Also, 
by next-transition determinism, it follows that there is a unique transition of Adv with action a 
from q A dv Let tr A dv = (q Adv, a, fj, Adv) be this transition. 

Suppose that supp(fj,Env x t^Adv) is the set {(^1,^2) : J G /} of pairs of states, where / is a 
countable index set. Let p be the probability measure on the index set I such that, for each j G /, 
p(j) = {^Env x HAdv){lijil2j)- For each j G /, we define probability measure e[, as follows. The 
support supp(e'ij) is the set of execution fragments a G supp(ei) such that lstate(a).Env = q\j 
and lstate{a).Adv — q2j. For each a G supp{e' 1 A of the form a' a q, let e' l7 (a) = ei(a'). We 
construct e' 2 j analogously from e 2 . 

In the rest of the proof we proceed as for T = {in(x) Trans}- The only difference is that in showing 
Property 1 for e' x and e' 2 ,, for a fixed j, we use the fact that application of T affects only the 
states of Adv and Env (by definition of the RS and Intl systems) and use Properties l(i) and 

17. T is cither an output task of Env that is not an input task of Adv, Trans, or Rec, or is an internal 
task of Env. 

Since T is an output or internal task of Env, Claim 2 implies that T is enabled in every 
state in supp(lstate(e 2 )), that there is a unique action a G T that is enabled in every state in 
supp{lstate{ei)) U supp(lstate(e2}), and that there is a unique transition trEnv — {qEnv, 0,, HEnv) 
of Env from qEnv with action a. 

To show the step correspondence, we proceed as for T = {in{x) Trans} ■ The only difference is that 
in showing Property 1 for e[, and e' 2 j, for a fixed j, we use the fact that application of T affects 
only the state of Env, and use Property l(j). 

18. T is an output task of Adv and an input task of Env. 

Since Tis an output task of Adv, Claim 2 implies that T is enabled in every state in supp{lstate(e2)), 

that there is a unique action a € T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e 2 )), 

and that there is a unique transition trAdv — (qAdv, a, I^Adv) of Adv from qAdv with action a. Also, 

by next-transition determinism, it follows that there is a unique transition of Env with action a 

from qEnv Let trEnv — (qEnv, 0,, n Env) be this transition. 

To show the step correspondence, we proceed as for T = {in(x) Trans} , using Properties l(i) and 

l(j)- 

For each index j in the decomposition, the fact that tdist(e[A — tdist(e' 2 A follows from the fact 

that tdist(ei) — tdist(e 2 ) and the definitions of e'y and e' 2 j. 
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19. T is either an output task of Adv that is not an input task of Env, Trans, or Rec, or is an internal 
task of Adv. 

Since T is an output or internal task of Adv, Claim 2 implies that T is enabled in every 
state in supp{lstate{t2)), that there is a unique action a G T that is enabled in every state in 
supp(lstate(ei)) U supp{lstate{e2)), and that there is a unique transition tr Adv = (qAdv,a, fJ-Adv) 
of Adv from qAdv with action a. 

To show the step correspondence, we proceed as for T = {in(x) Trans}, but using Adv instead 
of Env. In showing that Property 1 holds for e[, and e' 2 -, for a fixed j, we use the fact that 
application of T affects only the state of Adv (by definition of RS and Intl ) and use Property 
l(i). 

For each index j in the decomposition, the fact that tdist(e[A — tdist(e' 2 j) follows from the fact 
that tdist(ei) — tdist(t2) and the definitions of d x ■ and e 2 .. 

□ 

Proof. (Of Lemma 9.5:) 

By Lemma 9.7, R is a simulation relation from RSk\\Env to Intl k\\Env. Then Theorem 3.52 implies that 
tdists(RS k\\Env) C tdists(Intl k\\Env) . Since Env was chosen arbitrarily, this implies (by definition of 
<o) that RS k < Intlk- □ 

Proof. (Of Lemma 9.6:) 

By Lemma 9.7, R is a simulation relation from RSk\\Env to Intlk\\Env for which \corrtasks(S,T)\ < 2 
for every S and T. Also, note that Lemma 9.7 holds for every k and for every environment Env for RS 
and JnW (without any time-bound assumption). Thus, the hypotheses of Theorem 3.85 are satisfied, 
so by that theorem, RS < ne g.pt Intl . □ 

9.5 Intl implements Int2 

This step introduces an e-approximation into the implementation relation, for some negligible function 
e that is obtained from the definition of a hard-core predicate. We show: 

Lemma 9.8 Assume that Adv is a polynomial-time-bounded family of adversary automata. Then 

Intl <neg,pt Int2 . 



In order to prove this lemma, we consider the following two task-PIOA families, Slntl and SInt2, 
which arc subsystems of the Intl and Int2 families respectively: 



• Slntl = hide {rand ^ )tdpp}u{rand ^ hval} (TRl\\Src tdpp \\Src zva i), 



SInt2 — /i«rfe{ ra „ d ( sf ) tdpp } U { ra „ d ( s , )zuai }u{rand(*) C vai } ( TR^\\Src tdpp \\Src zva i\\Src cva i). 



Next, using mappings of the sort we used in Section 9.4, we will show that Slntl < SHOT and 
SHROT < SInt2 or, more precisely, that Slntl k < SHOT k and SHROT k < SInt2 k for every k. 
In the rest of this subsection, we suppress the mention of k everywhere. 

Finally, using the properties of these mappings and the different properties of the < neg ,pt relation, 
we will prove the expected relation. 

9.5.1 The Slntl subsystem implements SHOT 

Fix any environment Env for both Slntl and SHOT. We define a simulation relation R from 
SIntl\\Env' to SHOT\\Env'. 

Let t\ and 62 be discrete probability measures on finite execution fragments of Slntl \\Env' and 
SHOT\\Env , respectively, satisfying the trace distribution equivalence and state equivalence properties. 
Then we say that (ei, £2) G -R if and only if all of the following hold: 
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1. For every s G supp{lstate{e\)) and u G supp{lstate{e2))'. 

(a) u.Ifc.xval — s.TRl .inval(Trans). 

(b) if s.Srctdpp-chosenval ^ _L then u.Src t d P -chosenval = s.Src t dpp-chosenval.funct. 

(c) u.SrCyvaio.chosenval = _L iff s.Src zva i-chosenval = _l_. 

(d) u.SrCy Va ii.chosenval = _L iff s.Src zva i.chosenval = _L 

(c) if s.Src zva i.chosenval ^ _L then u.HO.yval = s.Srctdpp-chosenval.inverse(s.Src zva i-chosenval(0)) 
and u.Hl.yval — s.Srctd P p-chosenval.inverse(s.Src zva i.chosenval(l)) 

(f) u.HO.zval = s . Src zva i -chosenval(0) and u.Hl.zval — s .Src zva i .chosenval{l) . 

(g) if s. Ti?i .£<ipp 7^ J_ then u.Ifc.fval = s. TR1 .tdpp.funct. 
(h) u.Ifc.zval = s.TRl .zval. 

(i) ff u.Ifc.bval =/= _L then u.Ifc.bval = B(s.TRl .tdpp.inverse(s.TRl .zval)). 
(j) u.Ifc.bxorx = s.TRl .bval. 
(k) u.Env = s.Env . 

2. For every s G support(lstate(e\)): 

ff s.Srctdpp-chosenval = _l_ then one of the following holds: 

(a) s.Src zva i.chosenval = _L and, for every u G support(lstate{e2)), u.Srctdp-chosenval = _L. 
(That is, / has not yet been chosen in SHOT.) 

(b) s.Src zva i.chosenval ^ _L and, for every w G support(lstate(e2)), u.Srctdp-chosenval =/= _L, 
and u.Ifc.fval — _L; also lstate(t-i) .Srctdp-chosenval is the uniform distribution on Tdp. 
(That is, the choice has already been made in SHOT, but has not yet been communicated 
by Srctdp to HO, HI, and Ifc.) 

(c) s.Src zva i.chosenval ^ _L and Istate{e2)-Ifc.fval is the uniform distribution on Tdp. (That is, 
the choice has already been made in SHOT , and communicated to the other components.) 

Lemma 9.9 The relation R defined above is a simulation relation from Slntl \\Env' to SHOT\\Env' . 
Furthermore, for each step of SIntl\\Env' , the step correspondence yields at most eight steps of 
SHOT\\Env' , that is, for every S, T, \corrtasks(S, T)\ < 8. 

Proof. We prove that R satisfies the two conditions in Lemma 3.54. 

Start condition: ft is obvious that the Dirac measures on execution fragments consisting of the unique 
start states s and u of Slntl \\Env' and SHOT\\Env', respectively, are i?-related. Property 1 of R holds 
because the state components of s and u on which R depends are all _L. Property 2 of R holds because 
s .Src zvai-chosenval = _L and u.Src t dp-chosenval = _L. 

Step condition: We define corrtasks{RS sinti\\Env' x RA SIntl \\ Env >) — * RA* SHOT ,, Env , as follows: 
For any (S,T) G {RS SIntl \\ Env > x RA SIntl \\ Env ,): 

• f f T = {in(x) Trans} then COrrtasks(S,T) = {in(x) Trans} ■ 

• HT = {choose— randtdpp} &nd s.Srczvai.chosenval = _l_ in every state s of S then corrtasks{S, T) — 
{choose — randtdp}- 

• HT = {choose— randtdpp} &nd s.Srczvai-chosenval ^ _L in every state s of S then corrtasks(S, T) — 
X. 

• f f T = {choose — randzvai} and s.TRl.tdpp ^ _L in every state s of S then corrtasks{S,T) = 
{choose-randyvaio}{choose-randyv a ii}{rand(y)yvaio}{rand(y)yvaii}{fix-zval }{fix-zvali}. 
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• 



• 



If T = {choose — rand ZV ai} and s.TRl.tdpp = _L and s.Srctd PP .chosenval =/= _L in every state s of 
S then corrtasks{S,T) = {ranc?(/) 4 djj}{c/ioose — randj^ajoHc/ioose — Ta«dj, t , a ;i}{^and(j/)j / „ a ;o} 
{rand(y) yva ii}{fix — zvalo}{fix — zval\\. This case corresponds to the fact that the random 
permutation has already been chosen in SHOT, but not yet transmitted to HO and HI. 

If T = {choose— rand zva i} and s.Src t d PP -chosenval = _L in every state s of S then corrtasks{S, T) = 
{choose - randtd P }{rand(f)td P } {choose - rand yva i } {choose - rand yV aii}{rand(y) yva io} 
{rand(y) yva ii}{fix — zval }{fix — zvali}. This case corresponds to the fact that the random 
permutation has not yet been chosen in SHOT. 

If T = {rand(p)tdpp} then corrtasks(S,T) = {rand{f) t d P }- 

If T= {rand(z) zva i} then corrtasks(S,T) = {rand(z) zva i }{rand(z) zva ii}- 

• If T = {fix — bvalxrans} then corrtasks(S,T) = {fix — bvalo}{fix — bvali}{rand(b)bvaio} 
{rand(b) bva ii}{fix - bxorx}. 

• If T e {{send(l, f)Trans}, {send(2, z) Rec }, {send(3,b) Trans}} then corrtasks(S,T) = {T}. 

There are two interesting points in this correspondence. The first one comes from the fact that 
the z- values are chosen randomly in Intl while they are computed as the image of randomly selected 
y-values through the permutation / in SHOT. This difference imposes that, in SHOT, the trapdoor 
permutation / must have been selected in order to be able to compute the z-values. 

The second interesting point comes from the fact that the 6-values are computed as B(f~ 1 (z)) in 
Slntl and as B(y) in SHOT. As a consequence of this, / must have been selected in order to compute 
the 6-values in Slntl , while this is not necessary in SHOT. However, this does not require any specific 
treatment here as the corrtasks function is only applied on enabled tasks: it is therefore not possible 
that SHOT performs a fix — bval Trans step without any corresponding step of Intl . 

Suppose (£1,62) € R and T is a task of SIntl\\Env' that is enabled in supp(lstate(ei)). Let e[ = 
apply(ei,T) and e' 2 — apply(e2,corrtasks([lstate(ei)],T)). 

The proof follows the same outline as that of Lemma 9.7. State equivalence follows as in that proof. 
Identical versions of Claim 1 and Claim 2 in that proof carry over for Env' to this case. We again 
consider cases based on the values of T (and S when needed) . 

1. T = {in(x) Trans} then COrrtasks(S,T) = {in(x) Trans} 

The treatment of this case is similar as the one described in the proof of Lemma 9.7. 

2. T — {choose — rand t d PP } and s.Src zva i-chosenval = _L in every state s of 5. 

We first show that T" = corrtasks{S, T) — {choose — rand t d p } is enabled in every state in 
supp(lstate{t2)) ■ Thus, fix any state u G supp(lstate(e2)); we show that T" is enabled in u. Choose 
any s G supp{lstate{e\)). Since T is enabled in s and T is an internal task of Srctd ppj T is enabled in 
s.Srctdpp- The precondition of T in the definition of Srctd PP implies that s.Src t d PP .chosenval = _L. 
Now, since Src zva i-chosenval = _L and eiRe2, we know that s.Srctd P -chosenval = _L. 

Next, we define the probability measures needed to show the correspondence. Let p be the 
uniform probability measure on the index set I — {1 • • • r} where r = |Tdp|; that is, p(j) = 1/r 
for each j G /. For each j G /, we define the probability measure e' x ■ as follows. The support 
supp(e / 1 A is the set of execution fragments a G supp(e' 1 ) such that lstate(a) .Srctd PP -chosenval 
is the j-th element in domain Tdpp (in some enumeration). For each a G supp(e' 1 A of the form 
a! choose — rand t d PP q, let e'ij{a) — ei(a'). We define e' 2 j analogously from e' 2l assuming that 
the enumeration of the elements of the domain of Tdp is performed in the same order as the 
enumeration of the permutation pairs of Tdpp, that is, the j-th permutation of Tdp is also the 
j-th permutation of Tdpp. 

Now, it is easy to check that e'y-ReL: for any states s' G supp(lstate(e' 1 A and v! G supp(lstate(e' 2 j) 
the only updated components are s' .Srctd PP -chosenval and u' .Srctd P -chosenval, they are different 
from _L and s' .Srctd PP -chosenval.funct = v! .Srctd P -chosenval. 
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3. T = {choose — randtdpp} and s.Src zva i-chosenval ^ _L in every state s of S*. 

Since, in that case, cor r task s([lstate(ei)],T) = A, no enabling condition needs to be shown and 

Next, we define the probability measures needed to show the correspondence. Let p be the 
uniform probability measure on the index set I — {1 • • • r} where r — \Tdp\; that is, p(j) = l/r 
for each j G /. For each j G /, we define the probability measure e[ ■ as follows. The support 
supp(e / 1 A is the set of execution fragments a G supp{e' 1 ) such that lstate(ct).Srctd PP -chosenval 
is the j-th element in domain Tdpp (in some enumeration). For each a G supp(e[A of the form 
a' choose — rand t d PP q, let e[Ja) = ei(a'). 

Now, we define eL from e^. The support supp(e 2 A is the set of execution fragments a G supp{e' 2 ) 
such that Istateia) .Srctdp-chosenval is the j-th element in domain Tdp (according to the same 
enumeration as above). Furthermore, for each a G supp(e' 2 A, let e' 2 Aa) = e' 2 (a) (this is acceptable 
since lstate(e' 2 ) .Srctdp-chosenval is the uniform distribution on Tdp). 

Now, it is easy to check that e'^Re'^: for any states s' G supp(lstate(e[A and v! G supp(lstate(e' 2 A 
the only updated component is s' .Srctd PP -chosenval, which becomes different from _L, and 
s' .Srctd PP -chosenval.funct = u' .Srctd P -chosenval. 

4. T = {c/ioose — rand zva i} and s.TRl.fval ^ _L in every state s of S 1 . 

We first check that all tasks in the sequence corrtasks(S,T) = {choose — rand yva io}{choose — 
randy Va ii}{rand(y) yva io} {rand(y) yva n}{fix — zvalo}{fix — zvali} are enabled. Thus, fix any 
state u G supp(lstate(e2)); we show that the sequence of tasks cor r task s{S,T) is enabled in u. 
Choose any s G supp{lstate{ti)) . 

The {choose — rand yva io} and {choose — rand yva ii} tasks are enabled because R guarantees that 
u.Src yva io-chosenval = _L and u.Src yva n.chosenval — _L when s.Src zva i.chosenval — _L, which is 
the case since T = {choose — rand zva i\ is enabled. 

Next, {rand(y) yva io} and {rand{y) yva ii\ are enabled because u.Src yva io.chosenval =/= _L and 
u.SrCyyaii.chosenval =/= _L now. Finally, the {fix — zvalo} and {fix — zval\} tasks are enabled 
because 

• u.HO.fval y^ _L and u.Hl.fval =/= _L, which is guaranteed by the assumption that s.TRl.fval ^ 

_L 

• u.HO.yval ^ _L and u.Hl.yval ^ _L, which is guaranteed by the execution of the {rand(y) yva io} 
and {rand{y) yva ii\ tasks just before. 

Next, we define the probability measures needed to show the correspondence. Let p be the uniform 
probability measure on the index set I = {1 • • -r} where r = \D\ 2 ; that is, p(j) = l/r for each 

The support supp{e' 1 A is the set of execution fragments a G supp{e' 1 ) such that lstate(ct).Src zva i. 
chosenval is the j'-th element in domain {0,1} — > D (in some enumeration). For each a G 
supp(eij) of the form a 1 choose — rand zva iq, let e'y (a) = ei(a'). 

Now, we define eL from e^. The support supp(e 2 A is the set of execution fragments a G supp{e' 2 ) 
such that (Istateia). HO.zval,lstate(a).H\.zval) — (z(0),z(l)) where z is the j'-th element in 
domain {0, 1} — > £) (according to the same enumeration as above). This correspondence preserves 
the trace distributions since u.Src yva io.chosenval and u.Src yva ii-chosenval are selected from D 
according to the uniform distribution and u.HO.zval and u.Hl.zval are computed as the image 
of these two elements of D through a permutation. 

Now, it is easy to check that e'ijRe 2 j' for any states s' G supp(lstate(eiA) and u' G supp(lstate(e' 2 A) 
the only updated components are 

• s' .Src zva i.chosenval, v! .Src yva iQ.chosenval and u' .Src yva i\.chosenval which all become dif- 
ferent from _L, and 
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• v! .HO. zval and v! .HI. zval which remain equal to s' .Src zva i-chosenval(fS) and s' .Src zva i- 
chosenval{\). 

5. T = {c/ioose — rand zva i} and s.TRl.tdpp — _L and s.Src t dp P -chosenval 7^ _l_ in every state s of 5. 

corrtasks(S,T) is defined in the same way as in the previous case, except that we add a new task 
at the beginning of corrtasks{S,T): {rand(f)tdp} ■ 

This task is enabled since we now that s.Srctdpp-chosenval =/= _L in every state s of S. Now, we 
can define the probability measures needed to show the correspondence in a similar way as in 
the previous case. The state variables which are changed in this case are those considered in the 
previous case, except HO.fval, Hl.fval and Ifc.fval which were equal to _L in all states of 62 
and become the uniform distribution on Tdp in e 2 . 

6. T = {choose — rand zva i\ and s.Srctdpp-chosenval = _L in every state s of 5. 

corrtasks(S, T) is defined in the same way as in the previous case, except that we add a new task 
at the beginning of corrtasks(S,T): {choose — randtdp}- 

This task is enabled since we now that s.Srctdpp-chosenval = _L in every state s of S. Furthermore, 
executing {choose — randtdp} enables the {rand{f)tdp} task. The other tasks are enabled for the 
same reasons as above. 

Now, we can define the probability measures needed to show the correspondence in a similar way 
as in the previous case. The state variables which are changed in this case are those considered 
in the previous case, except Srctdp-chosenval which was equal to _L in all states of €2 and become 
the uniform distribution on Tdp in e 2 - 

7. T = {rand(p) td pp}- 

The treatment of this case is similar to the corresponding one in the proof of Lemma 9.7. 

8. T = {rand(z) zva i}. 

The treatment of this case is similar to the corresponding one in the proof of Lemma 9.7. 

9. T = {fix - bval Trans }. 

We first check that all tasks in the sequence corrtasks(S, T) = {fix—bvalo}{fix—bvah}{rand(b)bvaio} 
{rand{b)bvaii}{fix — bxorx} are enabled. Thus, fix any state u € supp(lstate(e2)); we show that 
the sequence of tasks corrtasks{S 1 T) is enabled in u. Choose any s € supp{lstate{e\)). 

The fact that T is enabled in s guarantees that s. TR1 .tdpp ^ _L, s. TR1 .zval ^ _l_, s. TR1 .inval( Trans) ^ 
_L and s.TRl .bval = _L. We then conclude that: 

• the {fix— bvalo} and {fix— bval\} tasks are enabled since they only require that u.HO.yval ^ 
_L and u.Hl.yval 7^ _L, which is guaranteed by the fact that s.TRl .zval =/= _L, 

• the {rand(b)i)vaio} and {rand{b)b V aii\ tasks are enabled since they only require u.HO.bval ^ 
_L and u.Hl.bval ^ _L, which is guaranteed by the fact that we just executed the the {fix — 
bvalo} an d {fix — bval\} tasks. 

• the {fix — bxorx} is enabled since it requires that: 

— u.Ifc.bval(i) 7^ _L (i E {0, 1}, which is guaranteed by the fact that we just executed the 
{rand(b) hvam } and {rand(b) hva n} tasks, 

— u.I fc.xval ^ _L, which is guaranteed by the fact that s.TRl .inval(Trans) ^ _L and the 
relation R, 

— u.I fc.bxorx = _L, which is guaranteed by the fact that s.TRl .bval = _L and the relation 
R. 

s.TRl .bval(i) and u.I fc.bxorx compute the same values in Slntl and SHOT, so the remaining 
part of the mapping do not raise any specific problem. 
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10. T e {{send(l,f)Truns},{send(2,z)R ec },{send(3,b) Trans}} 

The treatment of these cases is similar to the corresponding ones in the proof of Lemma 9.7. 

□ 

9.5.2 SHROT implements the Int2 subsystem 

Fix any environment Env for both SHROT and SInt2. We define a simulation relation R from 
SHROT\\Env' to SInt2\\Env . 

Let ei and £2 be discrete probability measures on finite execution fragments of SHROT\\Env and 
SInt2\\Env', respectively, satisfying the trace distribution equivalence and state equivalence properties. 
Then we say that (ei, £2) G i? if and only if all of the following hold: 

1. For every s G supp(lstate(ei)) and u G supp(lstate(e2))' 

(a) s.Ifc.xval — u.TR2 .inval(Trans). 

(b) s.Srctdp-chosenval — u.Srctdpp-chosenval. f unct . 

(c) s.Ifc.fval = u.TR2.tdpp.funct. 

(d) u.Src zva i.chosenval 7^ _L iff for % G {0, 1}, s.Src ZV aU 7^ _L. 

(e) If u.Src zva ,i-chosenval 7^ _L then for i G {0, 1}, u. Src zva i-chosenval(i) = s.Src zva u. 

(f) u.Src CV ai-chosenval 7^ _L iff for i G {0, 1}, s.Srcbvaii 7^ J- 

(g) If u.Src cva i.chosenval 7^ _L then for i G {0, 1}, u.Src cva i.chosenval{i) = s.SrCb va u. 
(h) u.TR2.zval ^ 1 iff for i G {0, 1}, s.Ifc.zval(i) ^ _L. 

(i) If u.TR2.zval 7^ _L then u.TR2 .zval = s.Ifc.zval. 

(j) u.TR2.cval ^ ± iff for i G {0, 1}, s.Ifc.bval(i) ^ _L. 

(k) If u.TR2.cval ^ 1 then u.TR2.cval = s.Ifc.bval. 

(1) s.Ifc.bxorx — u.TR2.bval. 

(m) u.Env = s.Env . 

2. For every u G supp{lstate{e\)): 

(a) If u. Src zval -chosenval = _L then one of the following holds: 

i. For every s G supp(lstate{e\)) , for i G {0, 1}, s.Src zva u = _L. 

ii. For some i G {0,1}: for every s G supp(lstate(ei)), s.Src ZV aU = -L, an d s -5' rc zt>a/(i-i)- 
chosenval is the uniform distribution on Z). 

(b) If u.Src cva i .chosenval = _L then one of the following holds: 

i. For every s G supp(lstate{e\)) , for i G {0, 1}, s.Srcbvaii = -L- 

ii. For some i G {0,1}: for every s G supp(lstate(ei)), s.Srcbvaii — -L, an d s -SrCb va i(\-i)- 
chosenval is the uniform distribution on {0, 1}. 

Lemma 9.10 The relation R defined above is a simulation relation from SHROT\\Env' to SInt2\\Env' . 
Furthermore, for each step of SHROT\\Env' , the step correspondence yields at most one step of 
SInt2\\Env' , that is, for every S, T, \corrtasks(S,T)\ < 1. 

Proof. We show that R satisfies the two conditions in Lemma 3.54. 

Start condition: It is obvious that the Dirac measures on execution fragments consisting of the unique 

start states s and u of SInt2\\Env' and SHROT\\Env', respectively, are i?-related. The two properties 

of R hold because the state components of s and u on which R depends are all _L. 

Step condition: We define corrtasks(RS S HROT\\Env> x RA SH ROT\\Env') — > RA *si n t2\\Env> as follows: 

For any (S,T) G (RS S HROT\\Env> X RA S HROT\\Env>)- 
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• If T = {in(x) Trans} then corrtasks{S,T) = T. 

• If T = {choose — randtdp} then corrtasks(S, T) = {choose — rand t d PP }- 

• If T = {rand(f)tdp} then corrtasks(S,T) = {rand(p) t d PP }- 

• For % £ {0, 1}: 

1. If T = {choose — rand zva iu\} and s.Src zva m_j i ychosenval = _L in every state s of S then 
corrtasks(S, T) = A. 

2. If T = {choose — rand zva iu\} and s.Src zva m_j\. chosenval ^ _L in every state s oi S then 
corrtasks{S 1 T) — {choose — rand zva {\. 

3. If T = {rand(z) zva i(i)} and s.Ifc.zval(l — i) = _L in every state s of S then corrtasks{S,T) = 
A. 

4. If T = {rand(z) zva i(i)} and s.Ifc.zval(l — i) =/= _L in every state s of S 1 then corrtasks(S, T) = 
{rand(z) zva i}. 

• For i e {0, 1}: 

1. If T = {choose — randb va iri-\} and s.Srci, va i(i-i)-chosenval = _L in every state s of S then 
corrtasks(S, T) = A. 

2. If T = {choose — rand ova i^} and s.Srci, va i(i~i)-chosenval ^ _L in every state s of <!? then 
corrtasks(S,T) — {choose — rand cva {\. 

3. If T = {rand^)^^/^} and s.Ifc.bval(l — i) = _L in every state s of S 1 then corrtasks(S, T) = 
A. 

4. If T = {™firf(fr)&t,o;(i)} an d s.Ifc.bval(l — i) =/= _L in every state s of S 1 then corrtasks(S, T) = 
{rand(c) cva i}- 

• If T = {/ia; — bxorx} then corrtasks(S, T) = {fix — bval Trans}- 

• If T G {{send(l,/) Trans },{send(2,z) flec },{send(3,&) Trans}} then corrtasks(S,T) = T. 

The only interesting cases are those corresponding to the selection and to the transmission of 
s .Src .zval(i) .chosenval and s .Src.bval(i) .chosenval . Each of these pairs of elements are selected into 
two random sources in SHROT while they are selected as pairs of random elements into a single random 
source in SInt2. 

We manage these differences in a simple way: when the first clement of a pair is selected (resp. 
transmitted) in SHROT, we do not define any corresponding steps in SInt2, while the pairs are 
selected (resp. transmitted) in SInt2 when the second element of the pair is selected (resp. transmitted) 
in SHROT . This way to proceed will not raise any problem as all tasks of Ifc depending on these values 
are enabled only when both ^-values and 6-values have been transmitted. 

Proving the rest of this correspondence is fairly obvious. 

□ 

9.5.3 Intl implements Int2 
Proof, (of Lemma 9.8) 



In Lemma 9.9 and 9.10, we proved that Slntl < SHOT and SHROT < SInt2. Furthermore, the 
corrtasks mappings we used in these proofs only increase the length of the schedules by a constant 
factor. So, we can use the soundness result of our simulation relation given in Thm. 3.85 to deduce that 
Slntl < ne g,pt SHOT and S HROT < n e g , P t STni2 

Now, since SHOT < ne g, P t SHROT (see Lemma 8.10) and since the < ne g, P t implementation relation 
is transitive (see Lemma 3.82), we obtain Slntl < n eg,pt SInt2. 
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Now, by composing Slntl and SInt2 with the polynomial-time bounded task-PIOA families Adv 
and Fund, and using Lemma 3.83, we obtain: 



F unct\\ Adv \\ Slntl < ne g,pt Funct\\Adv\\SInt2. 

Now, coming back to the definitions of Slntl and Slntl , we observe that this is equivalent to saying 
that: 



hide{ ran d(*) tdpp }u{rand(*) zval }(Funct\\Adv\\TRl\\Src t dpp\\Src zva i) 



< 



neg,pt ^^ e {rand(*)t<ipp}U{rand(*) at , o! }U{rond(*) cl , a i} (Funct\\Adv\\ TR2 \\SrC t dpp\\SrC zva l \\ Src cva l), 

or in other words, Intl < ne g.pt Int2, as needed. □ 

9.6 Int2 implements SIS 

We show: 

Lemma 9.11 For every k, Int2k <o SISk- 

We prove Lemma 9.11 by choosing an arbitrary environment Env for Int2k and SISk, establishing a 
simulation relation from Int2k\\Env to SISk\\Env, and appealing to Theorem 3.52, the soundness result 
for simulation relations. 

The only differences between Int2 and SIS are that Int2 uses TR2 and Src cva i whereas SIS uses 
TR and SrCb va i- The key difference here is that TR2 calculates the bval values as ®'s of random cval 
values and the input x values, whereas TR just chooses the bval values randomly. However, since taking 
© with a random bit is the same as choosing a random bit, this does not give any observably-different 
behavior. 

We also show: 

Lemma 9.12 Int2 <neg, P t SIS. 

In the rest of this subsection, we fix Env, an environment for Int2k and SISk- We also suppress 
mention of k everywhere. 

9.6.1 State correspondence 

Here we define the correspondence R from the states of Int2\\Env to states of SIS \\ Env, which we will 
show to be a simulation relation in Section 9.6.2. 

Let ei and e-i be discrete probability measures on finite execution fragments of Int2\\Env and 
SIS\\Env, respectively, satisfying the following properties: 

1. Trace distribution equivalence: tdist(ei) = tdist(e2)- 

2. State equivalence: There exist state equivalence classes S\ G RSi n t2\\Env an d S2 G RS 'sis\\Env 
such that supp(lstate(e 1 )) C 5*1 and supp(lstate(e2)) Q 5 2 - 

Then we say that (ei, £2) G R if and only if all of the following hold: 

1. For every s G supp(lstate(ei)) and u G supp{lstate(e2))'- 

(a) u.Funct — s.Funct. 

(b) u.Funct.inval(Trans) = s.TR2.inval (Trans). 

(c) u.TR.tdpp = s.TR2.tdpp. 

(d) u.TR.zval = s.TR2.zval. 

(e) u.TR.bval = s.TR2.bval. 
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(f) u.Srctdpp = s.Srctdpp- 

(g) u.Src zval = s.Src zva i 

(h) u.Srcbvai-chosenval = s.TR2.bval. 

(i) u.Adv = s.j4cfo. 

(j) u.Env — s.Env. 

2. For every u G supp(l stated))' 

If u.TR.bval = _L then one of the following holds: 

(a) For every s G supp{e\), s.Src cva i-chosenval = _L. 
That is, cval has not yet been chosen. 

(b) For every s G supp(ei), s.TR2.cval = _L, and lstate(ei).Src cva i.chosenval is the uniform 
distribution on {0, 1} — ► {0, 1}. 

That is, cval has been chosen by the Src, but has not yet been output to TR2. 

(c) lstate(e\).TR2.cval is the uniform distribution on {0, 1} — ► {0, 1}. 

9.6.2 The mapping proof 

Lemma 9.13 The relation R defined in Section 9.6.1 is a simulation relation from Int2\\Env to 
SIS\\Env. Furthermore, for each step of RS\\Env , the step correspondence yields at most two steps 
of SIS\\Env, that is, for every S,T, \corrtasks(S,T)\ < 2. 

Proof. We prove that R satisfies the two conditions in Lemma 3.54. 

Start condition: It is obvious that the Dirac measures on execution fragments consisting of the unique 
start states s and u of Int2\\Env and SIS\\Env, respectively, are _R-related. Property 1 holds be- 
cause the state components of s and u on which R depends are all _L. Property 2 holds because 
s.Src cva i.chosenval = _L. 

Step condition: We define corrtasks : RSj nt 2\\Env x R^int2\\Env ~* ^-^sisWEnv as f°ll° ws: 
For any (S,T) G RS Int2 \\ E nv x RA Int2 \\Env- 

• If T G {{in(x) Trans}, {in(i) Rec }, {choose - rand tdpp }, {rand tdpp \, {choose - rand zval }, {rand zva i} 
{send(l,f) Trans}, {receive(\ , /) Rec }, {send(2, z) Rec }, {receive(2, z) Tr ans}, {send(3, b) T rans}, 
{receive(3,b) Rec }, or {out(x) Rec }} , then corrtasks{S,T) = T. 

• If T is an output or internal task of Env or Adv that is not one of the tasks listed above, then 
corrtasks(S,T) = T. 

• If T G {{choose — rand cva i}, {rand cva i}} then corrtasks(S, T) = A. 

• If T = {fix — bvalxrans} then corrtasks(S,T) = {choose — rand ova i} {randbvai}- 

Suppose (£1,62) G R and T is a task of RSi n t2 that is enabled in supp(lstate{ei)). Let e[ = 
apply(e\,T) and e' 2 = apply(e2,corrtasks([lstate(ei)],T)). 

The proof follows the same outline as that of Lemma 9.7. State equivalence follows as in that proof. 
Identical versions of Claim 1 and Claim 2 in that proof carry over to this case. We again consider cases 
based on the value of T. 

1. T= {in{x) Trans} ■ 

Since T is an output task of Env, Claim 2 implies that T is enabled in every state in supp(lstate{t2))i 
that there is a unique action a G T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition trg„„ = ((/£„„, a, HEnv) of Env from qEnv with action a. Here, 
a = in(x) Trans for a particular value of x. 
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Next we define the probability measures needed to show the step correspondence. Suppose that 
supp(fiEnv) is the set {qj : j € 1} of states of Env, where / is a countable index set. Let p be 
the probability measure on the index set / such that, for each j G I, p(j) = /iEnv(qj)- For each 
j G /, we define probability measure e' l7 as follows. The support supp(e' 1 A is the set of execution 
fragments a G supp(e' 1 ) such that lstate(a).Env = qj. For each a G supp(e' 1 A of the form a' a qj, 
let e' l7 (a) = ei(a'). We define eL analogously from e' 2 . 

Now fix j G I; we show that (e' l7 , eL) G -R. To do this, we establish Properties 1 and 2 of R for 
e[j and eL, and show trace distribution equivalence for e^ ■ and eL. 

To establish Property 1, consider any states s' G supp(lstate(e' 1 j)) and u' G supp(lstate(e' 2 j)) . Let 
s be any state in supp(lstate(ei)) such that s' G supp(fi s ) where (s,a,[i s ) G -D/ n t2||B™- Similarly, 
let u be any state in supp(lstate(e 2 )) such that u' G supp(/i u ), where (w, a, /i u ) G -Ds/sms™,- 

If s.TR2 .inval(Trans) =/= _L then by Properties 1(a) and 1(b), u. Funct. inval(Trans) =/= _L and 
s. Funct. inval(Trans) ^ _L. In this case, task T has no effect on any component other than Env, 
in either system. Since s' .Env = qj = u' .Env by definition, it is easy to see that Property 1 holds 
for s' and v! . 

Now suppose that s.TR2.inval(Trans) = _L. Then again by Properties 1(a) and 1(b), u.Funct.inval(Trans) 
s . Funct .inval(Trans) = _L. Then by the definitions of Int2 and SIS, we know that application of 
T updates TR2 .inval(Trans) and Funct. inval(Trans) in Int2, and Funct. inval(Trans) in SIS. It 
also updates the state of Env to qj in both systems. 

We know by Property 1(a) that u. Funct = s. Funct, by Property 1(b) that u. Funct. inval (Trans) = 
s.TR2.inval (Trans), and by l(j) that u.Env = s.Env. By the effects of T in definitions of Funct 
and TR2, we know that u' .Funct — s' .Funct and v! . Funct. inval(Trans) = s' .TR2 .inval (Trans); 
hence, Properties 1(a) and 1(b) hold for s' and u' . We also know that l(j) holds for s' and u' by 
definition of e' l7 - and eL: in both s' and v! , the state of Env is qj. Since no state component other 
than TR2.inval, Funct. inval (Trans), and Env in the 77?^ system, and Funct. inval(Trans) and 
Env in the SIS system, is updated by the application of T, we conclude that Property 1 holds 
for s' and u' , and hence, for e'j and e' 2 . 

To establish Property 2, consider any state v! G supp(lstate(e' 2 j)) such that u' .TR.bval — _L. We 
need to show that one of the following holds: 

(a) For every s' G supp(lstate(e' 1 A), s' .Src cva i.chosenval = _L. 

(b) For every s' G supp(lstate(e' 1 A), s'.TR2.cval = _L, and lstate(e' 1 A.Src cva i.chosenval is the 
uniform distribution on {0, 1} — ► {0, 1}. 

(c) lstate(e[A.TR2 .cval is the uniform distribution on {0, 1} — ► {0, 1}. 

Let u be any state in supp(lstate(e2)) such that u' G supp(ji u ) where (u,a,/i u ) G DsiS\\Env By 
the effects of T, we know that u. TR.bval — u' .TR.bval = _L. Then, by Property 2 for t\ and u, 
one of the following holds: 

(a) For every s G supp(lstate(ei)) , s.Src cva i-chosenval = _L. 

(b) For every s G supp(lstate(ei)), s.TR2.cval = _L, and lstate(ei).Src cva i.chosenval is the 
uniform distribution on {0, 1} — ► {0, 1}. 

(c) lstate(ei).TR2.cval is the uniform distribution on {0, 1} — ► {0, 1}. 

If (a) holds for t\ and u, then consider any s' G supp(lstate(e' 1 A). Let s be any state in 
supp(lstate(ei)) such that s' G supp(/i s ) where (s,a,[i s ) G -D/ n t2||B nw - We have by (a) that 
s.Src cva i-chosenval = _L. By the effects of T, s' .Src cva i-chosenval = s.Src cva i-chosenval = _L, 
and so (a) holds for e' l7 and u' . 

If (b) holds for e x and u, then consider any s' G supp(lstate(e / 1 A). Let s be any state in 
supp(lstate(c\)) such that s' G supp(ji s ) where (s,a,/i s ) G Di n t2\\Env By the effects of T, 
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s'.TR2.cval = s.TR.cval — _L, so the first part of (b) holds. For the second part of (b), recall 
that we have defined e^ in such a way that for each a G supp(e' 1 A, where a is of the form a' a q, 
we have c\Aa) = ei(a'). Since T transitions do not affect the value of Src cva i.chosenval, we have 
that Istate^eiA.SrCcvai.chosenval = lstate{t\) .Src yva i.chosenval, and (b) holds for e' l7 - and v! . 

If (c) holds for t\ and u, then we argue as for the second part of (b), using the fact that T transitions 
do not affect TR2.cval. Thus, (c) holds for e[ ,• and u' . Therefore, in all cases, Property 2 holds 
for e'ij and u' , and hence for e' l7 - and e' 2 ,. 

The fact that tdist(e' 1 A = tdist{e' 2 A follows from the fact that tdist(ei) = tdistfa) and the 
definitions of e' x ■ and eL. 

2. T= {in(i) Rec }. 

Since T is an output task of Env, Claim 2 implies that T is enabled in every state in supp(lstate(e2)) , 
that there is a unique action a € T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition trEnv — (lEnv, &, I^Env) of -Em; from (/£;„„ with action a. Here, 
a = in(i)ji ec for a particular value of i. 

The rest of the proof for this case follows the proof for T = {in(x) Trans} ■ The only difference 
is that, in showing that Property 1 holds for e[, and e' 2 -, for a fixed j, we use the fact that 
application of T affects only Funct.inval(Rec) and Env in the Int2 system and the SIS system, 
and use Properties 1(a) and l(j). 

3. T = {choose — rand t d PP }- 

Identical to the corresponding case in the proof of Lemma 9.7, but using Property 1(f) instead of 
1(g)- 

4. T = {rand(p)td PP }- 

Identical to the corresponding case in the proof of Lemma 9.7, but using Properties 1(c) and 1(f) 
instead of 1(d) and 1(g). 

5. T = {choose — rand zva i}. 

Identical to the proof for T = {choose — rand t d pp }, but using Property 1(g) instead of 1(f). 

6. T = {rand(z) zva i}. 

Identical to the proof for T = {rand(z)td PP }, but using Properties 1(d) and 1(g) instead of 1(c) 
and 1(f). 

7. T = {choose — rand cva {\. 

Here, a random choice is made in the Int2 system but not in the SIS system. Since corrtasks([l state(ei)], T) 
A, no enabling condition needs to be shown. Also, we have e 2 — £2- 

Next, we define the probability measures. Let p be the Dirac measure on the single index 1 and 
let e'u = e[ and e' 2 i = e' 2 - To show that (e^e^) G R, we establish Properties 1 and 2 of R for e[ 
and e 2 , and show trace distribution equivalence for e[ and £3- 

To establish Property 1, consider any states s' € supp{lstate{e' 1 )) and v! € supp(lstate(e 2 )). Since 
e' 2 = e 2 , we know that v! € supp(l statefa)) ■ Let s be any state in supp{lstate(e\)) such that 
s' € supp(/j, s ), where (s, choose — rand cva i, /j, s ) € Dj nt2 \\Env We know that Property 1 holds for 
s and v! '. Observe that the application of T updates only s.Src cva i-chosenval component in the 
RS system, and the application of A leaves v! unchanged. Since Property 1 does not mention 
Src cva i.chosenval, we conclude that Property 1 holds for s' and u' , and hence, for e\ and e' 2 . 

To establish Property 2, consider any state u' G supp(lstate(e 2 )) such that u' .TR.bval — _L. We 
show that Property 2(b) holds; that is, we show that for every s' G supp(lstate(e' 1 )), s' . TR2.cval = 
_L, and lstate(ei).Src cva i.chosenval is the uniform distribution on {0, 1} — ► {0, 1}. 
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Consider any s' G supp{lstate{e' 1 )). Let s be any state in supp(lstate(e\)) such that s' G supp(fi s ) 
where (s, choose — rand cva i, /i s ) G Dj nt 2\\Env Since choose — rand cva i is enabled in s, we know 
that s.Src cva i-chosenval — _L. Therefore, by Lemma 9.4, s.TR2.cval = _L. Since T does not 
update TR2.cval, we have s' .TR2.cval — _L. Hence, the first part of 2(b) holds. 

For the second part of 2(b), the effects of T imply that Src cva i-chosenval is chosen according to 
the uniform probability distribution on domain {0, 1} — > D. So, lstate(ei).Src cva i-chosenval gives 
the uniform distribution on {0, 1} — > £>, as needed. 

The fact that tdist(e[) — tdist(e' 2 ) follows from the fact that tdist(ei) = tdistfa) and the 
definitions of e' x and e 2 . 

T = {rand(c) cva i}- 

This is a case where a step is taken in the Int2 system but not in the SIS system. Since 
corrtasks([lstate(e\)],T) = A, no enabling condition needs to be shown, and e 2 = e 2 . 

Next, we define the probability measures. Let I be the singleton index set {1}, let p be the Dirac 
measure on 1, and let e' n = e[ and e' 21 = e 2 . 

To show that (e'i,e 2 ) G R, we establish Properties 1 and 2 of R for e^ and e 2 , and show trace 
distribution equivalence. 

To establish Property 1, consider any states s' G supp{lstate{e' 1 )) and v! G supp{l state(e 2 )) ■ Since 
e 2 = £2, we know that v! G supp(lstate(e 2 )). Let s be any state in supp{lstate(e\)) such that 
s' G supp{[i s ) where (s, rand{c) cva i, /x s ) G -D/„t2||E rat , and c = (s.Src cva i.chosenval) . We know that 
Property 1 holds for s and u'. Observe that the application of T updates only the s.TR2.cval 
component in the Int2 system and the application of A leaves v! unchanged. Since Property 1 
does not mention TR2.cval, we conclude that Property 1 holds for s' and u' , and hence, for e[ 
and e 2 , as needed. 

To establish Property 2, consider any state v! G supp(lstate(e 2 )) such that u' .TR.bval = _L. 
We show that Property 2(c) holds; that is, we show that lstate(e' 1 ).TR2.cval is the uniform 
distribution on {0,1} — > {0,1}. 

Since u' G supp{lstate(e 2 )), we know that Property 2 holds for v! and ei. However, 2(a) cannot 
hold because T is enabled in supp{l state(ei)) , so either 2(b) or 2(c) must hold for u' and t\. 

If 2(b) holds for u' and e 1; then consider any s' G supp{lstate{e' 1 )). Let s be any state in 
supp(lstate(ei)) such that s' G supp{[x s ) where (s, rand{c) cva i, Us) G ^int2\,Env an< i c = s.Src cva i.chosenval. 
We know that s.TR2.cval = _L and lstate(ei).Src cva i.chosenval is the uniform distribution on 
{0,1} -> {0,1}. Then, by the effects of T and the definition of ei, s'.TR2.cval ^ _L and 
lstate(e' 1 ).TR2 .cval is the uniform distribution on {0,1} — > {0,1}, and hence 2(c) holds for u' 
and e' 1; as needed. 

On the other hand, if Property (c) holds for u' and ei, then we know that lstate(e\) projected 
on TR2.cval is the uniform distribution on {0,1} — » {0,1}. Since the application of T affects 
TR2.cval only if it is _L, we know that lstate(e' 1 ).TR2.cval = lstate(ei).TR2.cval. Therefore, in 
this case 2(c) holds for v! and e' 1; as needed. 

The fact that tdist(e[) — tdist(e' 2 ) follows from the fact that tdist(e\) = tdist(e 2 ) and the 
definitions of e' x and e 2 . 

T = {.fix- bval Trans }. 

Here, a deterministic step in the Int2 system maps to a random choice followed by a deterministic 
step in the SIS system. We first show that the sequence of tasks {choose — randbvai} {rand(b)bvai} 
is enabled in supp(l state{e 2 )) . First, consider any state u G supp(lstate(e 2 )); we show that 
{choose — randbyai} is enabled in u. Choose any s G supp(lstate(ei)). Since T is enabled 
in s and T is an internal task of TR2, T is enabled in s.TR2. By the precondition of the 
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fix — bvalrrans action in TR2, we know that s.TR2.bval = _L. By Property 1(h) for s and u, 
u.Srcbvai .chosenval — _L. So, {choose — rand zva i) is enabled in u, as needed. 

Now, let e 2 be the measure apply(e2, {choose — randb va i})- We show that {rand(b)bvai} is enabled 
in supp(lstate(e 2 )) ■ So consider any state u" G supp(lstate(e2))- By the effect of {choose — 
randb V ai}, we know that u" .Srcb va i -chosenval =/= _L, which is the only precondition on actions in 
{rand(b)t, va i}. Thus, {rand(b)b va i} is enabled in supp(lstate{e 2 )), as needed. 

Next, we claim that lstate(ei).TR2 .cval is the uniform distribution on {0, 1} — > {0, 1}. To sec this, 
consider any pair of states s G supp(lstate(ei)) and u G supp^lstatefa)). Since s.TR2.bval = _L, 
by Property 1(e) we have u.TR.bval = _L. Then by Property 2 for u and ei, we know that one of 
the following holds: 

(a) s.Src cva i. chosenval = _L. 

(b) s.TR2.cval = _L and lstate(ei).Src cva i.chosenval is the uniform distribution on {0,1} — > 
{0,1}. 

(c) Istate(ei) .TR2 .cval is the uniform distribution on {0, 1} — ► {0, 1}. 

However, since T is enabled in supp(lstate(e{)), we know that s.TR2.cval 7^ _L, so 2(b) cannot 
hold. Using Lemma 9.4, we see that also 2(a) cannot hold. Therefore, 2(c) holds, that is, 
lstate(ei).TR2 .cval is the uniform distribution on {0, 1} — ► {0, 1}, as needed. 

Next, we show that lstate{e' 1 ).TR2 .bval is the uniform distribution on {0, 1} — ■> {0, 1}. By Prop- 
erty 1(b), inval(Trans) is the same in all states in supp(lstate(e\)). The effect of a fix — bval Trans 
action in TR2 is to assign TR2.bval a pair of bits obtained by applying © to The cval bits and the 
inval(Trans) bits. Thus, since lstate(ei) .TR2 .cval is the uniform distribution on {0, 1} — ► {0, 1}, 
it follows that lstate(e' 1 ) .TR2 .bval is the uniform distribution on {0, 1} — ► {0, 1}. 

Next we define the probability measures needed to show the step correspondence. Let p be 
the uniform probability measure on the index set / = {1 • • • r} where r = |{0, 1} — > {0, 1}| = 
4. That is, p(j) = 1/4 for each j e I. For each j E I, we define probability measure e'y 
as follows. The support supp{e' 1 A is the set of execution fragments a e supp{e' 1 ) such that 
lstate(a) .TR2 .bval is the jth element of the domain {0, 1} — * {0, 1}. For each a G supp(e' 1 A of 
the form a' fix — bvalrrans a, let e' 1? -(a) = ei(a'). Similarly, we define probability distribution 
e' 2 j as follows. The support supp(e 2 j) is the set of execution fragments a € supp(e 2 ) such that 
lstate(a) .TR2 .bval is the jth element of the domain {0, 1} — > {0, 1}. For each a G supp(e' 2 A of 
the form a' choose — rand{, va i q rand(b)i,vaiq' let e' 2 Aa) — ^{ct). 

Now fix j E I; we show that (ei,-, eL) € R. To do this, we establish Properties 1 and 2 of R for e^ 
and e' 2 p and show trace distribution equivalence for e^ and eL- To establish Property 1, consider 
any states s' G supp{lstate{e' 1 A) and v! G supp(lstate(e 2 A). By definitions of Int2 and SIS we 
know that application of T updates TR2.bval in the Int2 system and application of the sequence 
{choose — randbvai} {rand{b) b va i} updates Srcbvai .chosenval and TR.bval in the SIS system. We 
show that Properties 1(e) and 1(h) hold for v! and s' . 

Property 1(e) follows from the definitions of e[, and e' 2 j', both actions give the same element of 
the domain {0,1} — > {0,1} when projected onto TR2.bval and TR.bval. For Property 1(h), we 
use the fact that v! .TR.bval = s' .TR2.bval, and we observe in addition (using Lemma 9.2) that 
if u'. TR.bval ^ _L then v! -Srcb va i .chosenval — v! .TR.bval. Since no state component other than 
TR2.bval in the Int2 system is updated by the application of T, and no state component other than 
TR.bval and Srcb va i .chosenval is updated by the application of {choose — randbvai} {rand(b)b va i} 
in the SIS system, we conclude that Property 1 holds for s' and u', and hence, for e\ and e' 2 . 

Property 2 holds trivially in this case since for any state v! G supp(lstate(e 2 A), we have v! ' . TR.bval ^ 
_L by definition of eL. 

The fact that idisi(e' 1? ) = tdist(e' 2 j) follows from the fact that tdist{e\) = tdistfa) and the 
definitions of e' l7 - and eL. 
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10. T= {send(l, f) Trans}- 

Identical to the corresponding case in the proof of Lemma 9.7, except that here we replace Trans 
with TR2 and TR1 with TR, and use Properties 1(c) and l(i) instead of 1(d) and l(i). 

11. T = {send(2,z) Rec }. 

Identical to the corresponding case in the proof of Lemma 9.7, except that here we replace Rec 
with TR2 and TR1 with TR, and use Property 1(d) instead of 1(e). 

12. T — {send(3,b) Trans}- 

Identical to the corresponding case in the proof of Lemma 9.7, except that here we replace Trans 
with TR2 and TR1 with TR, and use Property 1(e) here instead of 1(f). 

13. T = {receive(l,f) Rec }. 

Identical to the corresponding case in the proof of Lemma 9.7, except that here we replace Rec 
with TR2. In showing Property 1, we use the fact that applying T has no effect in cither system. 

14. T — {receive(2,z) Trans}- 

Identical to the corresponding case in the proof of Lemma 9.7, except that here we replace Trans 
with TR2. In showing Property 1, we use the fact that applying T has no effect in cither system. 

15. T — {receive(3,b) Rec }. 

Identical to the corresponding case in the proof of Lemma 9.7, except that here we replace Rec 
with TR2. In showing Property 1, we use the fact that applying T has no effect in either system. 

16. T = {out(x) Rec }. 

This case is easier that its counterpart in the proof of Lemma 9.7, since the task is an output task 
from Fund to Env in both levels. We use Property 1(a) to show enabling. The only interesting 
aspect of this proof is that Env may make a probabilistic choice on the application of T. The step 
correspondence can be shown by decomposing the distributions generated by application of T as 
in the case for T — {in(x) Trans} ■ 

We first show that T is enabled in every state in supp(lstate(e2))- So, fix any state u G 
supp(lstate(e2))] we show that T is enabled in u. Note that T is an output task of Fund in 
both systems. Choose any s G supp(lstate(ei)). By Property 1(a), u.Fund = s.Funct. So, T is 
enabled in u.Funct, and hence in u, as needed. 

Next, we show that there is a unique action a G T that is enabled in every state in supp(lstate(ei))U 
supp(lstate(e2))- We know by Property 1(a) that the state of Fund is the same in all states 
in supp(lstate(e\)) U supp(l state^))- So, out{s.Funct.inval{Trans){s.Fund.inval{Rec))) is the 
unique action in T that is enabled in supp(lstate(ei)) U 8upp(lstate(e2)). We use a to refer to 
out(s. Fund. inval (Trans) (s. Fund. inval(Rec)) in the rest of the proof for this case. Then next- 
transition determinism for Env implies that there is a unique transition of Env from qEnv with 
action a. Let tr^nv = (temi,a, l^Env) be this unique transition. 
We define the probability measures needed to show the step correspondence as in the case for 

in(x) Trans- 

To establish Property 1, consider any states s' G supp(lstate(e'ij)) and v! G supp(lstate(e' 2 ,)). Let 
s be any state in supp(lstate(e\)) such that s' G supp(/j, s ) where (s,a,fi s ) G Di n t2\\Env- Similarly, 
let u be any state in supp(lstate(e2}) such that v! G supp(fi u ) where (u,a,fi u ) G Dsis\\Env 

By the definitions of the Int2 and SIS systems, we know that application of T does not update 
any state component of Int2 or SIS; however, it may update the state of Env in both systems. 
Since Property 1 holds for s and u, we know that all the parts of Property 1 except possible for 
l(j) also hold for s' and v! . We also know that l(j) holds for s' and v! by definition of e' x and 
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e' 2 j'. in both s' and u' , the state of EVui is t/j. Thus, Property 1 holds for s' and u', and hence, for 
e'j and e' 2 - 

The proofs for Property 2 and trace distribution equivalence arc similar to the corresponding parts 
of the proof for T = {in(x) Trans} ■ 

17. T is an output task of Env and an input task of Adv. 
Identical to the corresponding case in the proof of Lemma 9.7. 

18. T is an output task of Env that is not an input task of Adv, Fund, or TR2, or T is an internal 
task of Env. 

Identical to the corresponding case in the proof of Lemma 9.7. 

19. T is an output task of Adv and an input task of Env. 
Identical to the corresponding case in the proof of Lemma 9.7. 

20. T is an output task of Adv that is not an input task of Env, Fund, or TR2, and is not a receive 
task, or else T is an internal task of Adv. 

Identical to the corresponding case in the proof of Lemma 9.7. 

□ 

Proof. (Of Lemma 9.11:) 

By Lemma 9.13, R is a simulation relation from Int2k\\Env to SIS t\\Env. Then Theorem 3.52 im- 
plies that tdists(Int2 k\\Env) C tdists(SIS k\\Env). Since Env was chosen arbitrarily, this implies (by 
definition of < ) that RSk <o Inblk- a 

Proof. (Of Lemma 9.12:) 

ByLcmma9.13, R is a simulation relation from RSk\\Env to Intlk\\Env for which \corrtasks(S,T)\ < 2 
for every S and T. Since that lemma holds for every k and every Env, Theorem 3.85 implies that 
Tni2 < negtPt SIS. a 

9.7 Putting the pieces together 

Proof, (of Theorem 9.1): 

Lemmas 9.6, 9.8, and 9.12, and transitivity of < n eg,pt, imply that RS < n eg,pt SIS . Since the simulator 

SSirrik satisfies the constraints for a simulator in Figure 2, this implies that RS < ne g.pt IS. □ 

10 Correctness Proof, Case 2: Receiver Corrupted 

This section contains the most interesting case: where only the receiver is corrupted. We prove the 
following theorem: 

Theorem 10.1 Let RS be a real-system family for (D,Tdp,C), C = {Rec}, in which the family Adv 
of adversary automata is polynomial-time-bounded. 

Then there exists an ideal-system family IS for C — {Rec}, in which the family Sim is polynomial-time- 
bounded, and such that RS < n eg,pt IS ■ 

As before, since C — {Rec} everywhere in this section, we drop explicit mention of C. Again, we express 
each Sinik as a composition of automata, and show that RS, the real-system family, implements the 
(new) structurcd-idcal-systcm family SIS. Again, we introduce two intermediate levels, Intl and Int2, 
for the same purpose as in Section 9. 
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10.1 Simulator structure 

For each k, we define a structured simulator SSim k , as the composition of the following five task-PIOAs, 
with all send, receive, rand and out" actions hidden. 

• TR{D kl Tdp k ), an abstract combination of Trans (D k ,T dp &) and Rec(D k ,Tdp k , {Rec}). 

• {Src(Tdpp k ) tdpp ) k , isomorphic to Src(Tdpp k ). 

• (SVc({0, 1} — > D k ) yva i) k , isomorphic to SVc({0, 1} — > Dfe). 

• (SVc({0, l})(,t, a a)fe, isomorphic to SVc({0, 1}). 

• Adv k , isomorphic to the adversary Adv k in (RS) k . Adv k is identical to Adv except that its 
out' (x)n ec input actions are renamed to out"(x)ji ec . 

TR has send outputs that are inputs to Adv . The receive outputs of Adv arc not connected to 
anything. 

Since Rec is corrupted, Adv sees inputs to Rec, and acts as an intermediary for outputs from Rec. 
Thus, Adv has in(i)n ec inputs, which come from the environment. Adv has out"(x)n ec inputs, which 
are outputs of TR, and out{x)n ec outputs, which go to the environment. Adv may also interact with 
the environment, using other inputs and outputs. 

Also, Fund provides out'(x)n ec outputs to TR. Thus, TR sees the output produced by Fund, which 
is one of the input bits provided by the environment to Trans. 

The outputs of Srctdpp and Srcbvaii go to TR only. The outputs of Src yva i go both to TR and to 
Adv. 

TR{D,Tdp) is defined in Figure 15. TR plays roles corresponding to those of both Trans and Rec 
in the real system. Note that TR produces the bval values without using the inverse of the trap-door 
permutation. It can do this because it knows the receiver's input value and the yval values. 

We define SIS k , the structured ideal system, to be the composition Funct k \\SSim k , with all the 
out 1 '(*) actions hidden. 

Lemma 10.2 In every reachable state of SIS k : 

1. If TR k .inval(Trans) ^= _L then Fund k .inval{Trans) ^ _L ; Fund k .inval{Rec) ^ _L, and TR k .inval( Trans) 
= Fund k .inval(Trans) (Fund k .inval(Rec)) . 

10.2 Intl 

We define Intl k to be the same as SIS k except that TR{D kl Tdp k ) is replaced by TRl(D k ,Tdp k ), 
whose code appears in Figure 16. TR1 differs from TR as follows: TR1 has input actions in(x) Trans, 
by which it receives transmitter input values directly from the environment. Also, TR1 does not have an 
input randbvaii nor a bvall state variable; rather, TR1 calculates bval values as follows: For the chosen 
index i (the one that it received in the in'(i)n ec input), TR1 uses the hard-core predicate applied to the 
corresponding yval, combined with the transmitter input obtained as output from Fund; for this, TR1 
does not need to use the inverse of the trap-door permutation. On the other hand, for the non-chosen 
index, TR1 uses the hard-core predicate and the inverse of the trap-door permutation, applied to the 
zval value. 

Lemma 10.3 In every reachable state of Intl k : 

1. If TR1 k .inval( Trans) ^ _L then Fund k .inval{Trans) ^ _L, Funct k .inval{Rec) ^ _L, and TR1 k .inval(Trans) 
= Funct k .inval{Trans){Fund k .inval{Rec)). 

2. If TR1 k .bval ^ _L then TR1 k .tdpp ^ _L, TR1 k .zval ^ _L, TR1 k .inval(Trans) ^ _L, TR1 k .inval1(Trans) ^ 
_L, and TR1 k .inval(Rec) =/= _L. 
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TR(D,Tdp): 
Signature: 

Input: 

out'(x) Rec , x e {0,1} 
in{i) Rec , i e {0, 1} 
rand{p) tdpp , p e Tdpp 
rand(y) yvai , y 6 ({0,1} 
rand(b) bvall , b e {0,1} 



Output: 

send(l, f) Trans, f S Tdp 
send(2, z) Rec , z e ({0, 1} — 
send(3,b) Trans, b £ ({0,1} 
D) out"(x) Rec ,xe{0,l} 

Internal: 

fix - zval Rec 

fix — bval Trans 



State: 

inval(Trans),inval(Rec) £ {0,1, _L}, initially _L 

tdpp S Tdp U {_!_}, initially _L 

yval, zval e ({0, 1} — ► D) U {±}, initially ± 

bvall e {0, 1, _L}, initially ± 

bval e ({0, 1} -» {0, 1}) U {_!_}, initially ± 



Transitions: 



-{0,1}) 



out'(x) Rec 
Effect: 

if inval(Trans) 

in{i)nec 
Effect: 

if inval(Rec) 



then inval(Trans) := x 



_L then inval(Rec) := i 



rand(p) tdpp 
Effect: 

if tdpp = 

rand(y) yvai 
Effect: 

if yval = 

rand(b) bvall 
Effect: 

if bvall = 



then tdpp := p 



then yval : 



_L then bvall := b 



fix - zval Rec 
Precondition: 

yval, inval(Rec), tdpp ^ _L 

zval = _L 
Effect: 

zval(inval(Rec)) := tdpp.funct(yval(inval(Rec))) 

zval(l — inval(Rec)) := yval(l — inval(Rec)) 



fix - bvalTrans 

Precondition: 

yval, inval(Trans),inval(Rec), bvall ^ _L 

bval = _L 
Effect: 

bval(inval(Rec)) := 

B(yval(inval(Rec))) © inval(Trans) 

bval(l — inval(Rec)) := bvall 

out"(x) Rec 
Precondition: 

x = inval(Trans) ^ _L 
Effect: 

none 

send{l,f) Trans 

Precondition: 

tdpp ^ -L, / = tdpp. fund 
Effect: 

none 

send(2, z) Rec 
Precondition: 

2 = zval ^ _L 
Effect: 

none 

senrf(3,fe) Trans 

Precondition: 

b = bval ^ _L 
Effcct: 

none 



Tasks: {out' (*) Rec } , {in(*) Rec }, {rand(*) tdpp }, {rand(*) yvat }, {rand(*) bvall }, {send(l,*) Tra ns}, {send(2,*) Rec }, 
{send(3,*) Trans}, {out" '(*) Rec } , {fix - zval Rec }, {fix - bval Tra ns}- 



State relation: q\ and 52 are related iff: 
qi.inval(Trans) = _L iff q2-inval(Trans) = 



, and similarly for inval(Rec), tdpp, yval, zval, bvall, and bval. 

Figure 15: TR{D,Tdp), for the case where C = {R}. 
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TRl{D,Tdp): 
Signature: 

Input: 

in(x) Trans ,xe ({0,1} -►{0,1}) 

out'(x) Rec , x 6 {0, 1} 
in(i)nec, i e {0, 1} 
rand(p) tdpp , p 6 Tdpp 
rand(y) yva i, y e ({0, 1} -> D) 



State: 

inval(Trans),inval(Rec) £ {0,1, _L}, initially _L 

inval2(Trans) S ({0, 1} -» {0, 1}) U {_!_}, initially ± 

tdpp S Tdpp U {_!_}, initially _L 

yval, zval e ({0, 1} — > D) U {_!_}, initially _L 

6i>a« e ({0, 1} -► {0, 1}) U {_!_}, initially _L 



Transitions: 



Output: 




Send(l, f) Trans, f 6 Tdp 




send(2, z) Rec , z e ({0, 1} — 


■D) 


send(3,b) Trans, b e ({0, 1} - 


-{0,1}) 


out"(x) Rec , x e {0, 1} 




Intcrricil; 

fix - zval Rec 




fix ~ bval Trans 





in(x) Trans 

Effect: 

if inval2(Trans) = _L then inval2(Trans) := x 

out'(x) Rec , in{i) Rec , rand(p) tdpp , or rand(y) yval 
Effect: 

As for TR(D,Tdp). 



fix - bval Trans 

Precondition: 

tdpp, zval, inval(Trans), inval2(Trans) , inval(Rec) ^ _L 
bval = _L 
Effect: 

bval(inval(Rec)) := 

B(yval(inval(Rec))) © inval(Trans) 
bvalll — inval(Rec)) := 

B(tdpp.inverse(zval(l — inval(Rec)))) 
(Binval2(Trans)(l — inval(Rec)) 

fix- ZVal Rec , OUt"(x) Rec , send(l,f) Trans, 

send(2,z) Rec , or send(3, b) Trans 
Precondition: 

As for TR(D,Tdp). 
Effect: 

As for TR(D,Tdp). 

Tasks: {in(*) Trans} , {out'(*) Rec }, {in(*) Rec }, {rand(*) tdpp }, {rand(*) yval }, {send(l, *) Trans}, {send(2,*) Rec }, 
{send(3,*) Trans}, {out" (*) Rec } , {fix - zval Rec }, {fix - bval T rans}- 

State relation: qi and <j2 arc related iff: 

qi.inval(Trans) = _L iff q2-inval( Trans) = _L, and similarly for inval(Rec), inval2(Trans) , tdpp, yval, zval, and bval. 

Figure 16: TR1 (D, Tdp), for the case where C = {R}. 

10.3 Int2 

Int2k is the same as SISk, except that: 

1. It includes a new random source (<SVc({0, }}) C vaii)k: which is isomorphic to 5Vc({0, 1}). 

2. TR(D k ,Tdp k ) is replaced by TR2(D k , Tdp k ), where TRtwo(D, TDp) is identical to TR1 (D, Tdp) 
except that: 

(a) TR2 includes an extra state variable cvall £ {0, 1}. 

(b) TR2 has input action rand(c) cva ii, which sets cvall := c. 

(c) The line in fix — bval in which bval{\ — inval(Rec)) is determined is replaced by: 

bval(l — inval(Rec)) := cvall © inval2(Trans)(l — inval(Rec)). 
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Thus, instead of calculating the bval value for the non-selected index using the hard-core 
predicate, TR2 obtains it by applying © to a bit chosen randomly and the actual x input 
for that index. 

The code for TR2(D,Tdp) appears in Figure 17. 

TR2(D,Tdp): 

Signature: 

Input: 

in(x) Trans, X £ ({0,1} 

out'(x) Rec , x £ {0, 1} send(2, z) Rec , z e ({0, 1} -» D) 

in(i) Rec , ie {0,1} send(3,b)Tr ans , be ({0, 1} -» {0, 1}) 

rand(p) tdpp ,p e Tdpp 

rand(y) yvai ,y e ({0,1} 

rand(c) cvall ,c e {0,1} 



{0,1}) 



D) 



Output: 

send(l, /) Trans, f S Tdp 
send(2, z) Rec , z e ({0, 1} — 
send(3, b) Trans , b e ({0,1} 
out"(x) Rec , x e {0, 1} 

Internal: 

fix - zval Rec 

fix - bval Trans 



State: 

inval(Trans),inval(Rec) £ {0,1, _L}, initially _L 

inval2(Trans) S ({0, 1} -» {0, 1}) U {±}, initially ± 

tdpp S Tdpp U {_!_}, initially _L 

yvai, zval e ({0, 1} — > D) U {_!_}, initially ± 

bval e ({0, 1} -* {0, 1}) U {±}, initially _L 

cvall 6 {0, 1,±}, initially _L. 



Transitions: 



in(x) Trans 

Effect: 

if inval2(Trans) 



then inval2(Trans) 



out'(x) Rec , in(i) Rec , rand(p) tdpp , or rand(y) yval 
Effect: 

As for TR(D,Tdp). 



rand(c) cvall 
Effect: 

if cvall = _L then cvall 



fix — bvalTrans 

Precondition: 

yval, cvall, inval(Trans),inval2(Trans) ^ _L 
inval(Rec) j^ _L 
bval = _L 
Effect: 

bval(inval(Rec)) := 

B(yval(inval(Rec))) © inval(Trans) 
bval(l — inval(Rec)) := 

cvall © inval2( Trans) (1 — inval(Rec)) 

fix - ZVal Rec , OUt"(x) Rec , send(l, f) Trans, 

send(2,z) Rec , or send(3, ft) Trans 
Precondition: 

As for TR(D,Tdp). 
Effect: 

As for TR(D,Tdp). 

Tasks: {in(*)Tran S }, {oMt'(*) flcc }, {in(*) fi( , c }, {rand(*) tdpp }, {rand(*) !/ „ a i}, {rand(*) ct , a n}, {send(l, *) TraIls }, 
{send(2,*) Bcc }, {serac((3, *) Trons }, {oMt"(*) ficc }, {fix - zval Rec }, {fix-bval Trans }. 

State relation: qi and q^ are related iff: 

qi.inval(Trans) = _L iff q2-inval(Trans) = _L, and similarly for inval(Rec), inval2(Trans), tdpp, yval, zval, bval, and 

eua^l. 

Figure 17: TR2(D,Tdp), for the case where C = {R}. 



10.4 i?,!? implements Intl 

We show: 

Lemma 10.4 For every k, RSk <o Intlk- 
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We prove Lemma 10.4 by choosing an arbitrary environment Env for RSk and Intl k, and establishing 
a simulation relation from RSk\\Env to Intl k\\Env. Then we appeal to Theorem 3.52, the soundness 
result for simulation relations. As for Case 1, the mapping must reconcile the different ways in which 
zval gets defined in RS and Intl . We also show the following lemma, which is what we need to put the 
pieces of the proof together: 



Lemma 10.5 RS < n eg.pt Intl ■ 

In the rest of this subsection fix Env, an environment for RSk and Intl k- 

10.4.1 State correspondence 

Here we define the correspondence R between the states of RS\\Env and Intl \\Env, which we will show 
to be a simulation relation in Section 10.4.2. 

Let ei and 62 be discrete probability measures on finite execution fragments of RS\\Env and 
Intl\\Env, respectively satisfying the following properties: 

1. Trace distribution equivalence: tdist(ei) — tdist(e2). 

2. State equivalence: There exist state equivalence classes S\ e RSns\\Env and S2 € RS Intl u Env 
such that supp(lstate(ei)) C Si and supp(lstate(e2)) C S%. 

Then we say that (ei, £2) € R if and only if all of the following hold: 

1. For every s G supp(lstate(ei)) and u G supp{lstate{e2))'. 

(a) u.Funct.inval(Trans) = s. Trans. inval. 

(b) u.Funct.inval(Rec) ~ s.Rec.inval. 

(c) If s.Rec.outval 7^ _L then u.TRl .inval(Trans) — s.Rec.outval. 

(d) u.TRl .inval2(Trans) = s. Trans. inval. 

(e) u.TRl .inval(Rec) = s.Rec.inval. 

(f ) u. TR1 .tdpp = s. Trans .tdpp. 

(g) u.TRl .yval = s.Rec.yval. 
(h) u.TRl .zval — s.Rec. zval. 

(i) u.TRl .bval = s.Trans.bval. 

(j) u.Src tt }pp = s.Srctdpp- 

(k) u.Src yva i = s.SrCy Va i. 

(1) u.Adv' = s.^rft). 

(m) u.Env = s.Env. 

10.4.2 The mapping proof 

Lemma 10.6 The relation R defined in Section 10.4-1 is a simulation relation from RS\\Env to 
Intl\\Env. Furthermore, for each step of RS\\Env, the step correspondence yields at most two steps of 
Intl\\Env, that is, for every S,T, \corrtasks(S,T)\ < 2. 

The idea of the proof is as follows. All of the tasks in RS\\Env correspond to the same tasks in 
Intl \\Env, with two exceptions. The first exception is the {fix — bval Trans} task, by which Trans in the 
RS system determines the value of bval, having already received its own input and a round 2 message. 
This gets mapped to an output task {out' (x) R ec \ from Fund to TR1 in the Intl system, followed by 
the {fix — bvalTmns} task of TR1 . The second exception is the {out 1 '(*) R ec } task, by which Rec in the 
RS system outputs its result to Adv; this gets mapped to the {out" (*) R ec } task from TR1 to Adv' in 
the Intl system. 
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Proof. Wc prove that R satisfies the two conditions in Lemma 3.54. 

Start condition: It is obvious that the Dirac measures on execution fragments consisting of the unique 

start states s and u of, respectively, RS\\Env and Intl\\Env are i?-related. Property 1 of R holds 

because the state components of s and u on which R depends are all _L. 

Step condition: We define corrtasks : RS R g»Env x R^RS\\Env ~ * ^■^*inti\\Env a& follows: 

For any (S,T) £ (RS RS \\ Env x RA RS \\ Env ): 

• If T e {{in(x) Trans}, {in(i) Rec ] , {choose-randtdpp}, {rand t d PP }, {choose-rand yva i}, {rand yva i}, 
{fix - zval Rec }, {send(l, f)Trans}, {receive(l,f) Rec }, {send(2, z) Rec }, {receive(2, z) Tra n S }, 
{send(3 1 b) Trans },{receive(3 1 b) Rec }, or {out(x) Rec }} , then corrtasks(S,T) = T. 

• If T is an output or internal task of Env or Adv that is not one of the tasks listed above, then 
corrtasks(S, T) = T . 

• If T = {fix — bvalTmns} then corrtasks(S,T) = {out'{x) Rec \ {fix — bvalTrans}- 

• If T = {out'{x) Rec } then corrtasks(S,T) = {out" (x) Rec } . 

Suppose (ei,C2) € R and T is a task of -RS'lJ-E'm; that is enabled in supp(lstate(e\)). Let e[ = 
apply(ei,T) and e' 2 = apply(e2,corrtasks([lstate(ei)],T)). 

The state equivalence property for t\ and e 2 and Lemma 3.29 imply the state equivalence property 
for e'j and e 2 ; that is, there exist state equivalence classes S\ € RS R gt\E nv and S% € RSi nt i\\Env such 
that supp{lstate{e' 1 )) C Si and supp{lstate{e' 2 )) C 5*2- 
Claim 1: 

1. The state of -Eni> is the same in all states in supp(lstate(e\)) U supp(lstate{e2)). Let <7B nt , denote 
this state of i?nw. 

This follows from Property l(m). 

2. The state of ^4cfo or ^4efo is the same in all states in supp{lstate(ei)) U supp(lstate(e2)). Let g^^ 
denote this state of Adv and j4efo . 

This follows from Property 1(1). 
Claim 2: 

1. If T (defined above) is an output or internal task of Env, then 

(a) T is enabled in every state in supp{lstate{t2)) ■ 

(b) There is a unique action a G T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)). 

(c) There is a unique transition of Env from qEnv with action a; let £?"£„„ = ((?£„„, a, jjleuv) be 
this transition. 

2. If T is an output or internal task of Adv, then 

(a) T is enabled in every state in supp{lstate(e2)) ■ 

(b) There is a unique action a € T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)). 

(c) There is a unique transition of Adv from qAdv with action a; let trAdv = (qAdv,a, t^Adv) be 
this transition. 

We establish the step condition by considering cases based on the value of T. The proof follows the 
same outline as for Lemma 9.7, except that instead of checking that Properties 1 and 2 are preserved, 
we need only check Property 1. 
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1. T = {l7l(x) Trans}- 

Since T is an output task of Env, Claim 2 implies that T is enabled in every state in supp(lstate(e2)) , 
that there is a unique action a € T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition trEnv — {qEnv, a, HEnv) of Env from qEnv with action a. Here, 
a = in(x) Trans for a particular value of x. 

Next we define the probability measures needed to show the step correspondence. Suppose that 
supp(fiEnv) is the set {qj : j G /} of states of Env, where / is a countable index set. Let p be 
the probability measure on the index set / such that, for each j G I, p(j) = /iEnv{qj)- For each 
j G /, we define probability measure d x ■ as follows. The support supp{e' 1 A is the set of execution 
fragments a G supp{e' l ) such that lstate(a).Env = qj. For each a G supp{e' l A of the form a' a qj, 
let e' 1? (a) = ei(a'). We define eL analogously from e' 2 . 

Now fix j G /; it remains to show that (e[ , e' 2 A G R. To do this, we establish Property 1 of R for 
e[j and eL, an d show trace distribution equivalence for e^ ■ and e 2 j- 

To establish Property 1, consider any states s' G supp(lstate(e'ij)) and «' G supp(lstate(e 2 A) . Let 
s be any state in supp{lstate{€\)) such that s' G supp(fi s ) where (s,a,[i s ) G Dns\\Env Similarly, 
let u be any state in supp(lstate{e2)) such that u' G supp([i u ) where (u,a,fi u ) G -D/n^HSm,. 

If s.Trans.inval ^ _L then by Properties 1(a) and 1(d), u.Funct.inval(Trans) ^ _L and 
u.TRl Anval2(Trans) ^ _L. In this case, task T has no effect on any component other than Env, 
in either system. Since s' .Env = qj = u' .Env by definition, it is easy to see that Property 1 holds 
for s' and u' , and hence, for e[ and e' 2 . 

Now suppose that s.Trans.inval = _L. Then again by Properties 1(a) and 1(d), u. Fund. inval{ Trans) 
= u.TRl Anval2{Trans) = _L. Then by the definitions of RS and Intl , we know that application 
of T updates Trans.inval in the RS system, and Funct.inval(Trans) and TR1 .inval2(Trans) in 
the Intl system. It also updates the state of Env in both systems. 

We know by Property 1(a) that u.Funct.inval(Trans) = s.Trans.inval, by 1(d) that u.TRl .inval2(Trans) 
= s.Trans.inval, and by l(m) that u.Env = s.Env. By the effects of T in definitions of Trans, 
Fund, and TR1 , we know that u' .Fund. inval( Trans) = s' .Trans.inval, and u' .TR1 .inval2(Trans) — 
s' .Trans.inval; hence, Properties 1(a) and 1(d) hold for s' and u' . We also know that l(m) holds 
by definition of e[ ■ and e 2 -. Since no component other than Trans.inval and Env in the RS 
system, and Fund.inval(Trans) , TR1 .inv al2( Trans) , and Env in the Intl system, is updated by 
the application of T, we conclude that Property 1 holds for s' and u', and hence, for e[ and e' 2 . 

The fact that tdis^e^A — tdist(e' 2 A follows from the fact that tdist(ei) = tdist{e2) and the 
definitions of d x ■ and eL. 

2. T= {in(i)_R ec }. 

Here, T is shared between Env and ^Wv in both systems. In addition, it is an input to Rec in the 
RS system and to TR1 in the Intl system. We must consider the probabilistic branching of Adv 
as well as Env in this case. 

Since T is an output task of Env, Claim 2 implies that T is enabled in every state in supp(lstate(e2)) , 
that there is a unique action a G T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition trEnv — (qEnv, «, l^Env) of Env from qEnv with action a. Here, 
a = in(i)n ec for a particular value of i. Also, by next-transition determinism, it follows that there 
is a unique transition of Adv with action a from qAdv Let tr Adv = {qAdv, a, fJ-Adv) be this transi- 
tion. 

Next we define the probability measures needed to show the step correspondence. Suppose that 
supp(nEnv x fiAdv) is the set {{qji,qj2) ■ j G /} of pairs of states, where / is a countable index 
set. Let p be the probability measure on the index set / such that, for each j G /, p(j) = 
{l^Env x t l 'Adv)( < lij, < l2j)- F° r each j G /, we define probability measure e[ - as follows. The 
supp{e' 1 A is the set of execution fragments a G supp(e[) such that lstate(a).Env = qij and 
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lstate(a).Adv = q2j- For each a G supp(e[A of the form a' a q, let e' l7 (a) = ei(a'). We construct 
e' 2 ~ analogously from e' 2 . 

The rest of the proof for this case follows the proof for T = {in(x) Trans} ■ The only difference is 
that in showing Property 1 for e^ and e' 2 p for a fixed j, we use the fact that application of T 
affects only Rec.inval, Adv, and Env in the RS system, and Funct.inval(Rec), TR1 .inval(Rec), 
Adv', and Env in the Intl system, and use Properties 1(b), 1(e), 1(1) and l(m), instead of 1(a), 
1(d) and l(m). 

T = {choose — randtdpp}- 

We first show that T is enabled in every state in supp(lstate(e 2 )). Fix any state u G supp{lstate{e2)); 
we show that T is enabled in u. Choose any s G supp(lstate(ei)) . Since T is enabled in s and T 
is an internal task of Srctdpp, T is enabled in s.Srctdpp- The precondition of T in the definition of 
Srctdpp implies that s.Src t d pp -chosenval = _L. By Property l(j), u.Src t d PP = s.Src t d PP - So, T is 
enabled in u.Srctdpp, and hence in u, as needed. 

Next we define the probability measures needed to show the step correspondence. Let p be the 
uniform probability measure on the index set I — {1 • • • r} where r = \Tdp\. That is, p(j) = 1/r 
for each j G /. For each j G /, we define probability measure e' x ■ as follows. The support 
supp{e' 1 A is the set of execution fragments a G supp(e[) such that Istate(a) .Srctdpp-chosenval is 
the jth clement in domain Tdp. For each a G supp(e[A of the form a' choose — randtdpp q, let 
e'y(a) = ei(a'). We define e' 2 j analogously from e 2 . 

Now fix j G /; we show that (e' x , eL) € -R- To do this, we establish Property 1 of R for e' x and 
eL-, and show trace distribution equivalence for e' x and e 2 -. 

To establish Property 1, consider any states s' G supp(lstate(eiA) and w' G supp(lstate(e 2 A) . By 
definitions of e^ • and e' 2 j, we know that u 1 .Srctdpp-chosenval = s 1 .Srctdpp-chosenval. Hence, Prop- 
erty l(j) holds. Since no component other than Srctdpp-chosenval is updated by the application 
of T, we conclude that Property 1 holds for s' and u', and hence, for e[ and e' 2 . 

The fact that tdist(e' 1 A = tdist(e' 2 j) follows from the fact that tdist(ei) = tdist(e 2 ) and the 
definitions of e' l7 - and eL. 

T = {rand(p) M j, p }. 

We first show that T is enabled in every state in supp(lstate(e 2 )). Fix any state u G supp(lstate(e 2 )); 
we show that T is enabled in u. Choose any s G supp{lstate{e\)). Since T is enabled in s and T 
is an output task of Srctdpp, T is enabled in s.Srctdpp and s.Srctdpp-chosenval =/= _L. By Property 
l(j), u.Srctdpp — s.Srctdpp- So, T is enabled in u.Srctdpp, and hence in u, as needed. 
We show that there is a unique action a G T that is enabled in every state in supp{lstate{ei)) U 
supp(lstate(e 2 )) . We know by Property l(j) that the state of Srctdpp is the same in all states 
in supp{lstate(ei)) U supp(lstate(e 2 )). Let q denote this state of Srctdpp- By the next-action 
determinism property for Srctdpp we know that there is a unique action a G T that is enabled in 
q. Since T is an output task of Srctdpp, a is also the unique action in T that is enabled in each 
state in supp(lstate(ei)) U supp(lstate(e 2 )). 

The probability measures for this case are trivial: Let / be the singleton index set {1}, let p be 
the Dirac measure on 1, and let e' n = e\ and e 21 = e 2 . To show that (e'^ej) G R, we establish 
Property 1 of R for e[ and e 2 , and show trace distribution equivalence for e^ and e' 2 . 

To establish Property 1, consider any states s' G supp(lstate(ei)) and v! G supp{lstate{e' 2 )) . Let 
s be any state in supp{lstate{ei)) such that s' G supp(fi s ) where (s,a,[i s ) G -D^sHe™- Similarly, 
let u be any state in supp{lstate{e 2 )) such that u' G supp(/i u ) where (u,a,fi u ) G E) Intl \\ Env . 

By definitions of -RS* and Intl we know that application of T updates Trans. tdpp in the RS system, 
and TR1 .tdpp in the Intl system. We know by Property 1(f) that u. TR1 .tdpp — s. Trans. tdpp. By 
the effects of T in Trans and TR1, we know that u' .TR1 .tdpp = s' .Trans. tdpp; hence, Property 
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1(f) holds. Since no component other than Trans.tdpp in the RS system and TR1 .tdpp in the 
Intl system is updated by the application of T, we conclude that Property 1 holds for s' and v! , 
and hence, for e[ and e' 2 . 

The fact that tdist(e[) — tdist(e' 2 ) follows from the fact that tdist(ei) = tdistfa) and the 
definitions of e' x and e 2 ■ 

T = {choose — randy V ai}- 

This case is analogous to the case for T — {choose — rand t d PP }- In showing that T is enabled 
in every state in supp(lstate(e 2 )), we use Property l(k) instead of l(j). In showing the step 
correspondence, we use the domain {0, 1} — > D instead of Tdp and also use Property l(k) instead 
of l(j). 

T = {rand(y) yva i}- 

We show that T is enabled in every state in supp(l state(e 2 )) using an argument analogous to the 

one for T = {rand(p)tdpp}- Here we use Property l(k) instead of l(j). 

Since the application of T may cause probabilistic branching in Adv , to show the step correspon- 
dence, we proceed as for T = {in(x) Trans} but using Adv and Adv instead of Env. In showing 
that Property 1 holds for e^ and e' 2 A, for a fixed j, we use Properties 1(g) and 1(1) of R. 

T = {fix - zval Rec }. 

The fact that T is enabled in every state in supp(lstate(e 2 )) follows from Properties 1(e), 1(g), 
1(h), and 1(f) together with Lemma 6.4 5(b). 

The rest of the proof is easy because zval is computed in the same way in both the RS and 
Intl systems. The only difference is that in the Intl system, the fund component of a trap- 
door permutation pair is used, whereas in the RS system this pair is not available but only a 
function. The correspondence between the tdpp. fund component of TR1 and the tdp value of 
Rec is established using Lemma 6.4 5(b). 

T = {fix- bval Trans }. 

This is an interesting case, in which bval in the RS system is computed by Trans using its own 
input and the contents of a received round 2 message. It corresponds to two steps in the Intl 
system, in which TR1 first receives a value from Fund, and then uses it in the computation of 
bval with the fix — bval Trans action. 

We show that the sequence of tasks {out 1 (x) R ec } {fix — bvalTrans} is enabled in supp(lstate(e2))- 
First, consider any state u € supp(lstate(e 2 )); we show that {out^)(x)R ec } is enabled in u. Choose 
any s G supp(lstate(e\)). Since T is enabled in s and T is an internal task of Trans, T is enabled 
in s. Trans. By the precondition of fix — bvalTrans in Trans, we know that s. Trans.tdpp ^ _L, 
s. Trans. zval =/= _L, s.Trans.inval ^ _L, and s.Trans.bval = _L. By Property 1(a) and 1(b), we have 
u.Fund.inval(Trans) ^ _L and u.Fund.inval(Rec) =/= _L. This implies that the action out'{x)n ec 
is enabled in u, as needed. 

Now, let e 2 be the measure apply (e 2 , {out 1 '(x) R ec }) ■ We show that fix — bvalTrans is enabled in 
supp(lstate(e 2 )). So consider any state u" € supp(lstate(e 2 )) . Choose u G supp(lstate(e 2 )) such 
that u" G supp([j, u ) where (u, fix — bvalTrans, fJ-u) €E D Intl » Env . Choose any s G supp{lstate{ei)). 
Since fix— bvalTrans is enabled in s, we have s. Trans.tdpp ^ _L, s. Trans. zval ^ _L, s. Trans .inval ^ 
_L, and s.Trans.bval = _L. Then we have u.TRl .tdpp ^ _L, by Property 1(f) applied to s and u. 
And u.TRl .zval ^ _L, by Property 1(h) and Lemma 6.4 part 7(b). And u.TRl .inval2{Trans) ^ 
_L, by Property 1(d). And u.TRl .inval(Rec) =£ _L, by Lemma 6.4 parts 7b and 6 and Property 
1(e). And finally, u.TRl .bval = _L, by Property l(i). Since the only effect of out'(x)n ec is to set 
inval(Trans) in TR1 to x if inval (Trans) = _L, we know that u".TRl .inval(Trans) ^ _L, and also 
that u" '.TRl.tdpp ^ _L, u" .TR1 .zval ^ _L, u" .TR1 .inval2(Trans) ^ _L, u" .TR1 .inval(Rec) ^ _L, 
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and u" .TR1 .bval — _L. Combining all these conditions, we see that fix — bvalTmns is enabled in 
u", as needed. 

Next, we define the probability measures. Let / be the singleton index set {1}, let p be the Dirac 
measure on 1, and let e' n = e[ and e' 21 = e 2 . To show that (e'i,e' 2 ) *= R, we establish Property 1 
of R for ei and e' 2 , and show trace distribution equivalence. 

To establish Property 1, consider any states s' G supp(lstate(e' 1 )) and u' G supp(lstate(e' 2 )). 
Let s be any state in supp(lstate(e\)) such that s' G supp(n s ) where (s, fix — bvalTmns, Us) € 
-D_RS||.Emi- Let u" be any state in supp(lstate(e 2 )) such that v! G supp(^l u ) where (u" , fix — 
bv al Trans, (J-'u) G Dj ntl \\Env ■ Let u be any state in supp(lstate(e 2 )) such that it" G supp([i u ) where 
(u,out'(x) Rec ,u u ) G D Intl \\ Env . 

We first show that s' .Trans. bval = v! .TR1 .bval. By the effect of T, we know that for z G 
{0,1}, s' .Trans. bval (i) = B(s. Trans. tdpp.inver se(s. Trans. zval(i))) opluss. Trans. inval(i). All 
state variables other than bval are unchanged in moving from s to s' . 

Also, by the effects of the out' '(x)n ec and fix—bvalirans actions, v! .TR1 .bval{u. TR1 .inval(Rec)) = 

B(u. TR1 .yval{u. TR1 .inval{Rec)))®u" . TR1 .inval( Trans), which equals B{u. TR1 .yval(u. TR1 .inval(Rec))) 

®u" .Funct.inval(Trans){u" .Funct.inval(Rec)) by Lemma 10.3, which equals B{u.TRl .yval{u. TR1 .inval(Rec))) 

©m. Fund. inval (Trans) (u. Fund. inval(Rec)). Also, we have u 1 .TR1 .bval(\—u.TRl .inval(Rec)) = 

B(u. TR1 .tdpp.inver se(u. TR1 .zval(\—u. TR1 .inval(Rec))))®u. TR1 .inval2(Trans)(l—u. TR1 .inval(Rec)). 

In moving from u to ?/, TR1 .inval(Trans) is updated to a non-_L value and all other state variables 

except bval are unchanged. 

To show that s' .Trans .bval = u' .TR1 .bval, we consider the two indices separately: 

(a) i — s.Rec.inval 

Then by Property 1(e), i — u. TR1 .inval(Rec) . In this case, we must show that B(s. Trans.tdpp. 
inverse(s. Trans .zval(i)))®s. Trans. inval(i) — B(u. TR1 .yval(u. TR1 .inval(Rec)))®u.Funrt . 
inval(Trans)(u.Fund.inval(Rec)), that is, that B(s.Trans.tdpp.inverse(s. Trans. zval(i))) © 
s. Trans. inval(i) = B(u.TRl .yval(i)) © u. Fund. inval(Trans)(u. Fund. inval(Rec)). 
Now, s. Trans. inval(i) = s.Trans.inval(s.Rec.inval), which is in turn equal to u.Fund.inval 
(Trans)(u. Fund .inval(Rec)) . by Properties 1(a) and 1(b) for s and u. And s. Trans.tdpp. inverse 
(s. Trans. zval(i))) = s.Rec.yval(i), by Lemma 6.4, part 11, which is equal to u.TRl .yval(i)) 
by Property 1(g). Thus, s. Trans. tdpp.inver se(s. Trans. zval(i))) = u.TRl .yval(i)), and so 
B(s.Trans.tdpp.inverse(s. Trans. zval(i))) = B(u.TRl .yval(i)). Combining the equations 
yielded the needed equation B(s. Trans. tdpp.inver se(s. Trans. zval(i))) © s. Trans. inval(i) = 
B {u.TRl .yval(i)) © u. Fund .inval (Trans) (u. Fund .inval(Rec)) . 

(b) % = 1 — s.Rec.inval 

Then i = 1— u.TRl .inval(Rec) by Property 1(e). In this case, we must show that B(s. Trans.tdpp. 
inverse(s. Trans .zval(i)))(£>s .Trans .inval(i) — B(u.TRl .tdpp.inverse(u.TRl .zval(l— u.TRl . 
inval(Rec))))(Bu.TRl .inval2(Trans)(l— u.TRl .inval(Rec)), that is, that B(s. Trans.tdpp. inverse 
(s. Trans. zval(i)))(Bs. Trans .inval(i) — B(u. TR1 .tdpp.inver se(u. TR1 .zval(i)))(Bu. TR1 .invall 
(Trans) (i). 

Now, s. Trans. inval(i) = u.TRl .inval2(Trans)(i) by Property 1(d). And s. Trans.tdpp — 
u.TRl .tdpp by Property 1(f). And s. Trans. zval = u.TRl .zval by Property 1(h) and 
Lemma 6.4 part 7. It follows that s. Trans. tdpp. inverse(s. Trans. zval(i)) = u. TR1 .tdpp.inver se 
(u.TRl .zval(i)), and so B(s. Trans .tdpp.inver se(s. Trans .zval(i))) — B(u.TRl .tdpp. inverse 
(u. TR1 .zval(i))). Combining the equations yields B(s. Trans .tdpp.inver se(s. Trans .zval(i)))(B 
s. Trans. inval(i) = B(u.TRl .tdpp.inver se(u.TRl .zval(i))) © u.TRl .inval2(Trans)(i), as 
needed. 

Thus, we have shown that s' .Trans.bval = u' .TR1 .bval. To see that Property 1 holds for s' and 
u' , note that it holds for s and u, and the only changes are in the new assigments to bval (which 
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are equal, as just shown), and in setting v! ' . TR1 .inval(Trans) to a non-_L value. The only part of 
Property 1 that mentions v! .TR1 .inval(Trans) is 1(c); thus, to see that Property 1 holds for s' 
and v! (and hence for e\ and e' 2 ), it suffices to show that Property 1(c) holds for s' and u' '. 

So, suppose that s' .Rec.outval ^ _L. Then s' .Rec.outval — s.Rec.outval, which is equal to 
s.Trans.inval(s.Rec.inval) by Lemma 6.4. This in turn equals u. Fund .inval(Trans) (u. Fund. inval (Rec)) 
by Property 1(a) and 1(b) for s andu, which is equal to u' .Fund. inval(Trans)(u' .Fund. inval(Rec)). 
Since we know that v! .T Rone.inval(Trans) =/= _L, Lemma 10.3 implies that v! ' .T 'Rone. inval (Trans) = 
v! .Fund. inval(Trans)(u' .Fund. inval(Rec)) . Combining all the equations, we obtain that s' .Rec.outval = 
v! .T Rone, inval (Trans), as needed for 1(c). 

The fact that tdist(e' 1 ) — tdist(e' 2 ) follows from the fact that tdist(e\) = tdist(e 2 ) and the 
definitions of e' x and e 2 . 

9. T = {send(l, f) Trans}- 

We first show that T is enabled in every state in supp(lstate(e 2 )). Fix any state u G supp(lstate(e 2 ))\ 
we show that T is enabled in u. Choose any s G supp(lstate(e\)). Since T is enabled in s and T 
is an output task of Trans, T is enabled in s. Trans, and so s.Trans.tdpp ^ _L. By Property 1(f), 
u.TRl .tdpp = s.Trans.tdpp. So, T is enabled in u.TRl , and hence in u, as needed. 

Next, we show that there is a unique action a € T that is enabled in every state in supp(lstate(ei))U 
supp(lstate(e 2 )). We know by Property 1(f) that variables Trans.tdpp and TRl.tdpp have the 
same unique value in all states in supp(lstate(e\)) U supp(lstate(e 2 )). Since the parameter / in 
send(l, f) Trans is defined to be Trans. tdpp. fund we conclude that the action send(l, Trans. tdpp. fund) 
is the unique action in T that is enabled in every state in supp(lstate(e\)) U supp(lstate(e 2 )). We 
use a as a shorthand for send(l, Trans. tdpp. fund) in the rest of the proof for this case. 

Let / be the singleton index set {1}, let p be the Dirac measure on 1, and let e' n = e[ and e' 21 = e 2 . 
To show that (e[, e' 2 ) <E R, we establish Property 1 of R for e[ and e 2 , and show trace distribution 
equivalence for e[ and e' 2 . 

To establish Property 1, consider any state s' € supp(lstate(e'i)) and u' G supp(lstate(e 2 )). Let 
s be any state in supp(lstate(e\)) such that s' G supp(fi s ) where (s,a,/i s ) G Drsweuv Similarly, 
let u be any state in supp(lstate(e 2 )) such that u' G supp([i u ) where (u,a,fi u ) G D] ntl \\E nv . 

By definitions of RS and Intl we know that application of T updates only Adv .messages in the 
RS system and Adv .messages in the Intl system. By Property 1(1), u.Adv = s.Adv. It is 
obvious that v! .Adv — s' .Adv and that 1(1) holds, since Adv and Adv are the same automaton 
(except for renaming of the out' actions). Since no component other than Adv. messages and 
Adv .messages is updated, we conclude that Property 1 holds. 

The fact that tdist(e[) — tdist(e' 2 ) follows from the fact that tdist(e\) = tdist(e 2 ) and the 
definitions of e' x and e 2 . 

10. T = {send(2,z) Rec }. 

We first show that T is enabled in every state in supp(lstate(e 2 )) . Fix any state u G supp(lstate(e 2 )); 
we show that T is enabled in u. Choose any s G supp(lstate(e\)). Since T is enabled in s and T 
is an output task of Rec, T is enabled in s.Rec, and therefore s.Rec.zval ^ _L. By Property 1(h), 
u.TRl .zval — s.Rec.zval ^ _L. So, T is enabled in u.Rec, and hence in u, as needed. 

Next, we show that there is a unique action a G T that is enabled in every state in supp(lstate(ei))U 
supp(lstate(e 2 )). We know by Property 1(h) that variables Rec. zval and TR1 .zval have the same 
unique value in all states in supp(lstate(e\)) U supp(lstate(e 2 )), and there is a unique action 
a G T that is enabled in every state in supp(lstate(e\)) U supp(lstate(e 2 )). Note that here a is 
send(2, z)n ec for a fixed value of z. 

The rest is identical to the proof for T = {send(l, f) Trans}- 
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11. T= {send(3,b) Trans }. 

The proof that T is enabled in every state in supp(l state(e2)) is analogous to the corresponding 
part of the proof for T = {send(l, f)rrans}- Here we use Property l(i), instead of 1(f). 

We also show that there is a unique action a £ T that is enabled in every state in supp(lstate(ei))U 
supp(lstate(e 2 )), arguing as in the case for T = {send(l, f) Trans}- Here, the unique action is 
determined by fixing the value of parameter b to the value of variables Trans. bval and TR1 .bval, 
which is the same in every state in supp(lstate(e\)) U supp{l statefa)). 

The rest of the proof is identical to the proof for T = {send(l, f) Trans}- 

12. T = {receive(l,f) Rec }. 

Since Tis an output task of Adv, Claim 2 implies that T is enabled in every state in supp(l state(e 2 )), 
that there is a unique action a € T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e 2 )), 
and that there is a unique transition tr Adv — (qAdv, a, f-Adv) of Adv from qAdv with action a. Here, 
a is receive(l, f)R ec for a fixed value of /. 

The rest is similar to the proof for T = {send(l, f) Trans}- The only difference is that in showing 
that Property 1 holds, we use the fact that application of T updates only Rec.tdp in RS and that 
R does not depend on this component. 

13. T = {receive^, z) Trans}- 

Since T is an output task of Adv , Claim 2 implies that T is enabled in every state in supp(lstate(e 2 )) , 
that there is a unique action a € T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition tr Adv — (qAdv, &, I^Adv) of Adv from qAdv with action a. Here 
a is receive(2, z) Trans for a fixed value of z. 

The rest of the proof differs from the case for T = {receive(l, f)n e c} only in showing that Property 
1 holds; here we make use of the fact that the application of T updates Trans. zval only, which 
has no effect on R. 

14. T= {receive(3,b) Rec }. 

Since Tis an output task of Adv, Claim 2 implies that T is enabled in every state in supp(l statefa)), 
that there is a unique action a € T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition tr Adv — (qAdv, «, H-Adv) of Adv from qAdv with action a. Here 
a is receive(3, b)n ec for a fixed value of b. 

The rest of the proof differs from that for T = {receive(l, /)ij ec } in that in showing that 
Property 1 holds, we must show that Property 1(c) is preserved. Thus, consider any state 
s' € supp(lstate(e' 1 )) and u' G supp(lstate(e' 2 )). Let s be some state in supp(lstate(ei)) such 
that s' € supp(Hs) where (s, a, fi s ) G D RS ^ Env . Similarly, let u be some state in supp(lstate(e2)) 
such that u' € supp(/j, u ) where (u,a,fi u ) € Dinti\\Env 

We know that s'.Rec.outval ^ _L. Then s'.Rec.outval — s' .Trans .inval(s' .Rec.inval) by Lemma 6.4, 
which is equal to s. Trans. inval(s. Rec.inval). This in turn equals u. Fund. inval (Trans) (u. Fund. inval(Rec)) 
by Property 1(a) and 1(b) for s and u. Now, s.Trans.bval ^ _L, by Lemma 6.4, part 4, so by Prop- 
erty l(i), u.TRl .bval ^ _L. Therefore, by Lemma 10.3, u.TRone.inval(Trans) =/= _L, and again 
by Lemma 10.3, u.TRone.inval(Trans) = u. Fund. inval(Trans)(u. Fund. inval(Rec)). Combin- 
ing the equations, we obtain s' .Rec.outval = u.TRl Anval(Trans). Since u' .TR1 Anval(Trans) = 
u. TR1 .inval(Trans), we obtain s' .Rec.outval = u' .TR1 .inval(Trans) which shows 1(c), as needed. 

15. T= {out(x) Rec }. 

Since T is an output task of Adv, Claim 2 implies that T is enabled in every state in supp(lstate(e2)), 
that there is a unique action a £ T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition tr Adv = (qAdv, a-, I 1 - Adv) of Adv from qAdv with action a. (Here 
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HAdv is a Dirac distribution.) Also, by next-transition determinism, it follows that there is a unique 
transition of Env with action a from qEnv Let trEnv — (ft™, a, fJ-Env) be this transition. 

To show the step correspondence, we proceed as for T = {in(x) Trans}, decomposing the measures 
generated by the application of T according to the resulting state in Env, and using Property 
l(m) to show that Property 1 holds for each component measure. 

For each index j in the decomposition, the fact that tdist(e[A — tdist(e' 2 A follows from the fact 
that tdist(ei) — tdistfa) and the definitions of d x ■ and eL. 

16. T = {out \x) Rec } . 

We first show that the corresponding task {out"(x)} is enabled in every state in supp(lstate(e2)). 
Fix any state u € supp^lstatefa)); we show that {out" (x) R ec } is enabled in u. Note that 
{out 11 ' [x) u ec } is an output task of TR1 in the Intl system. Choose any s G supp(lstate(ei)). 
Since T is enabled in s and T is an output task of Rec in the RS system, T is enabled in 
s.Rec and therefore s.Rec.outval =/= _L. Then by Property 1(c), u.TRl .inval(Trans) ^ _L. So, 
{out" (x) R e c} is enabled in u.TRl , and hence in u, as needed. 

Let / be the singleton index set {1}, let p be the Dirac measure on 1, and let e' u = e[ and e' 21 = e 2 . 

In showing Property 1, we use the fact that applications of T in the RS system and {out" (x) R ec } 
in the Intl system update only the outval(Rec) state variables in both Adv and Adv , which 
preserves Property 1. 

The fact that tdistie^) — tdist(e' 2 ) follows from the fact that tdist(e-\) = tdist(e 2 ) and the 
definitions of e\ and e 2 . 

17. T is an output task of Env and an input task of Adv. 

Since T is an output task of Env, Claim 2 implies that T is enabled in every state in supp(lstate(e2)) , 
that there is a unique action a € T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition tfEnv = {<lEnv, ci, p,Env) of Env from qEnv with action a. Also, 
by next-transition determinism, it follows that there is a unique transition of Adv with action a 
from q Adv . Let tr Adv = (q A dv,a, PAdv) be this transition. 

Suppose that supp(fiEnv x HAdv) is the set {(^1,^2) : j S 1} of pairs of states, where / is a 
countable index set. Let p be the probability measure on the index set I such that, for each j <G /, 
p(j) = {^Env x UAdv)(qij,q2j)- For each j S /, we define probability measure e[ ■ as follows. The 
support supp{e' 1 j) is the set of execution fragments a G supp(ei) such that lstate(a).Env = q\j 
and lstate(a).Adv — q 2 j. For each a € supp(e' 1 j) of the form a' a q, let e^ (a) = ei(a'). We 
construct e' 2 j analogously from e 2 . 

In the rest of the proof we proceed as for T = {m(x) Trans}- The only difference is that in showing 
Property 1 for e' x and e' 2 ,, for a fixed j, we use the fact that application of T affects only the 
states of Adv, Adv', and Env (by definition of the RS and Intl systems) and use Properties 1(1) 
and l(m). 

18. T is cither an output task of Env that is not an input task of Adv, Trans, or Rec, or is an internal 
task of Env. 

Since T is an output or internal task of Env, Claim 2 implies that T is enabled in every 
state in supp{lstate(e 2 )), that there is a unique action a £ T that is enabled in every state in 
supp(lstate{ei)) U supp(lstate(e 2 )) , and that there is a unique transition trEnv — (qEnv ,«, A* Env) 
of Env from qEnv with action a. 

To show the step correspondence, we proceed as for T = {in(x) Trans} ■ The only difference is that 
in showing Property 1 for e[,- and eL, f° r a fixed j, we use the fact that application of T affects 
only the state of Env, and use Property l(m). 

For each index j in the decomposition, the fact that tdist(e' 1 A — tdist(e' 2 j) follows from the fact 
that tdist(ei) — tdist(e 2 ) and the definitions of e' 1? and eL. 
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19. T is an output task of Adv and an input task of Env. 

Since T is an output task of Adv , Claim 2 implies that T is enabled in every state in supp^lstatefa)) , 

that there is a unique action a £ T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 

and that there is a unique transition trAdv = {lAdvid,, HAdv) of Adv from qAdv with action a. Also, 

by next-transition determinism, it follows that there is a unique transition of Env with action a 

from qEnv Let trEnv = [q Env, a, H Env) be this transition. 

To show the step correspondence, we proceed as for T = {in(x) Trans}; using Properties 1(1) and 

l(m). 

For each index j in the decomposition, the fact that tdist(e' 1 A — tdist(e' 2 j) follows from the fact 
that tdist(ei) — tdistfa) and the definitions of e' 1? and eL. 

20. T is cither an output task of Adv that is not an input task of Env, Trans, or Rec, or is an internal 
task of Adv. 

Since T is an output or internal task of Adv, Claim 2 implies that T is enabled in every 
state in supp(lstate(e2)), that there is a unique action a G T that is enabled in every state in 
supp(lstate(ei)) U supp(lstate(c2)), and that there is a unique transition trAdv = (qAdv , a, t 1 Adv) 
of Adv from qAdv with action a. 

To show the step correspondence, we proceed as for T = {in(x) Trans}, but using Adv instead of 
Env. In showing Property 1 for e' x and e' 2? , for a fixed j, we use the fact that application of T 
affects only the state of Adv (by definition of RS and Intl) and use Property 1(1). 

For each index j in the decomposition, the fact that tdist(e' 1 A — tdist(t' 2 j) follows from the fact 
that tdist[e\) — tdistfa) and the definitions of e' l7 - and eL. 

□ 

Proof. (Of Lemma 10.4:) 

By Lemma 10.6, R is a simulation relation from RSk\\Env to Intl k\\Env. Then Theorem 3.52 im- 
plies that tdists(RS k\\Env) C tdists(Intl k\\Env). Since Env was chosen arbitrarily, this implies (by 
definition of <o) that RSk <o Intl k- n 

Proof. (Of Lemma 10.5:) 

By Lemma 10.6, R is a simulation relation from RSk\\Env to Intlk\[Env for which |corrtasfcs(S', T)| < 2 

for every S* and T. Since that lemma holds for every k and every Env, Theorem 3.85 implies that 

RS <neg,pt Intl . □ 

10.5 Intl implements Int2 

We show: 

Lemma 10.7 Assume that Adv is a polynomial-time-bounded family of adversary automata. Then 
Intl < neg ,pt Int2. 



In order to prove this lemma, we consider the following two task-PIOA families, Slntl and SInt2, 
which arc subsystems of the Intl and Int2 families respectively: 



• 



Slntl = hide{ ran d(*) tdpp }u{rand(*) zvat }{TRl \\Src tdpp \\Src zva i), 



• SInt2 — ^rfe{ ra „ d ( >f ) tdpp } U { ra „ d ( s ,) zvai } U { rand ( s ,) ctjaa }(Ti?^||S'rc 4d pp||S'rc2 t , a ;||S , rc c „ a a). 



Next, using mappings of the sort we used in Section 9.4, we will show that Slntl < SHOT 1 and 
SHROT < ~Slnt2, where SHOT' and SHROT are the families defined in Section 8.3.3. More 
precisely, we prove that Slntl k <o SHOT' k and SHROT' k <o SInt2k for every k. In the rest of this 
subsection, we suppress the mention of k everywhere. 

Finally, using the properties of these mappings and the different properties of the < ncg ,pi relation, 
we prove the expected relation. 
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10.5.1 The Slntl subsystem implements SHOT' 

Fix any environment Env for both Slntl and SHOT' . We define a simulation relation R from 
SIntl\\Env' to SHOT'\\Env'. 

Let ei and e2 be discrete probability measures on finite execution fragments of Slntl \\Env and 
SHOT'\\Env , respectively satisfying the trace distribution equivalence and state equivalence proper- 
ties. Then we say that (ei, £2) € R if and only if all of the following hold: 

For every s G supp{lstate{e\)) and u G supp(lstate(e2))' 

1. m.//c .inval(Trans) = s.TRl .inval(Trans). 

2. u.//c .inval2(Trans) = s.TRl .inval2(Trans) . 

3. u.//c .inval(Rec) = s.TRl .inval(Rec). 

4. if s.Srctdpp-chosenval = _L then u.Srctdp-chosenval = _L. 

5. if s.Srctdpp-chosenval ^ _L then u.Srctdp-chosenval = s.Srctdpp-chosenval.funct. 

6. if s.TRl .tdpp =/= _L then u.//c ./t>a^ = s.TRl .tdpp. fund. 

7. if s.Src yva i .chosenval — _L then u.Src yva i.chosenval — u.Src yva ii .chosenval = _L 

8. if s.SrCy V ai .chosenval ^ _L then Istate^) .Src yva i. chosenval and lstate{e2).Src yva i' .chosenval are 
the uniform distribution on Z). 

9. if s.TRl .yval ^ _L then u.H.yval 7^ _L and u.//c .yval' 7^ _L. 

10. if s.TRl .zval = _L then u.//c .zwa/ = _L else 

• m.//c .zval(u.Ifc .inval(Rec)) = s.TRl .zval(s.TRl .inval(Rec)) and 

• m.//c .2;wa/(l — m.//c .inval(Rec)) = s.TRl .zval{l — s.TRl .inval(Rec)). 

11. if s.TRl .bval = _L then u.Ifc .bval = _L else 

• u.Ifc .bval(u.Ifc .inval(Rec)) = s.TRl .bval(s.TRl .inval(Rec)) and 

• u.Ifc .bval(l — u.Ifc .inval(Rec)) = s.TRl .bval{\ — s.TRl .inval(Rec)). 

12. u.Env — s.Env . 

Lemma 10.8 The relation R defined above is a simulation relation from Slntl \\Env' to SHOT'\\Env' . 
Furthermore, for each step of SInt\\\Env' , the step correspondence yields at most five steps of SHOT' \\ Env' , 
that is, for every S, T, \corrtasks{S,T)\ < 5. 

Proof. We prove that R satisfies the two conditions in Lemma 3.54. 

Start condition: It is obvious that the Dirac measures on execution fragments consisting of the unique 
start states s and u of Slntl \\ Env' and SHOT'\\Env' , respectively are i?-related: all properties of R 
holds because the state components of s and u on which R depends are all _L. 
Step condition: We define corrtasks{RSsi n ti\\Env' x R-^-sinti \\Env') ~^ ^^sHOT'WEnv' as f°ll° ws: 
For any (S,T) e (RS S i n ti\\Env' x RA SIntl \\Env')- 

• If T e {{in(x) Trans }, {out' (x) Rec }, {out" (x) Rec },{in(i) Rec } 1 {send(l,f) Trans}, { sen d(^iZ) Rec }, 
{send(3,b) Trans}} then corrtasks{S,T) = T. 

• If T is an output or internal task of Env that is not one of the tasks listed above, then 
corrtasks(S,T) = T. 

• If T = {choose — randtdpp} then corrtasks(S,T) — {choose — randtdp}- 
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• If T = {choose — randyyai} then corrtasks(S,T) = {choose — rand yva i}{choose — rand yva i'}. 

• If T = {rand(p)td PP } then corrtasks(S,T) = {rand(f)tdp}- 

• If T = {rand(y) yva i} then corrtasks(S,T) = {rand(y) yval }{rand(y)y Va i>} ■ 

• If T = {fix—zvalit ec } then corrtasks{S,T) — {fix—zval}{rand(z) zva i}{fix—bval}{rand(b) ova i} 
{fix - zval Rec }. 

• If T = {fix — bvalrruns} then corrtasks(S,T) — {fix — bvalTrans}- 

Suppose (ei, e 2 ) G R and T is a task of Slntl \\Env' that is enabled in supp(lstate(ei)). We simply 
verify that the tasks in corrtasks(S,T) are enabled when T is enabled: the other aspects of the proof 
are similar to the corresponding ones in Lemma 10.6. 

1. T G {{in(x) Trans} , {out 1 (x) R ec } , {in{i) Rec}}- In these cases, T is an input task of Slntl, which is 
also the case of corrtasks(S,T) = T in SHOT'. These input tasks are always enabled. 

2. T = {out" (x) R ec } . Consider any states s G supp(lstate(ei)) and u G supp(lstate(e2))- Since 
T is enabled in s, we know that s.TRl .inval(Trans) =/= _L. Now, since eiRez, we know that 
u.Ifc .inval(Trans) =/= _L. This is sufficient to have T in enabled in u. 

3. T = {send(l, f) Trans}- This case is similar to the previous one since we know that s. TR1 .tdpp ^ _L 
and u.Ifc.fval = s.TRl .tdpp. fund in any states s G supp(lstate(ei)) and u G suppflstatefa)) ■ 

4. T = {send(2, z)n ec }. Again, this case is similar to the previous one since we know that s.TRl. zval ^ 
_L, which implies that u.Ifc' .zval =/= _L in any states s G supp(lstate(ei)) and u G supp(lstate(e2)). 

5. T = {send(3, 6)rrans}- Again, this case is similar to the previous one since we know that 
s.TRl.bval =/: _L, which implies that u.Ifc'.bval ^= _L in any states s G supp(lstate(ei)) and 
u g supp(lstate(e2})- 

6. T is an output or internal task of Env' that is not one of the tasks listed above. Consider any 
states s G supp{lstate{e\)) and u G supp{lstate{e2)). Since T is enabled in s, it is also enabled in 
u since we know that s.Env' — u.Env' . 

7. T = {choose — rand t ^ pp }. We know that {choose — rand t d P } is enabled in SHOT' because 
u.Srctdp-chosenval = _L when s.Srctdpp-chosenval = _L in any states s G supp(lstate(e\)) and 
u G supp(lstate(e2))- 

8. T = {c/ioose — randy Va i}. We know that {c/ioose — rand yva {\ and {choose — rand yva i>} are enabled 
in SHOT' because u.Src yva i.chosenval — u.Src yva ii .chosenval — _L when s.Src yva i-chosenval = 
_L in any states s G supp(lstate(e\)) and u G supp(l statefa)). 

9. T = {fix — zvaln ec }. Consider any states s G supp{lstate{ei)) and u G supp{lstate{e2)). Since 
T is enabled in s, we know that s.TRl .yval ^ _L and s.TRl .tdpp =/= _L. Since eiRe2, we also 
know that u.H.yval ^ _L, u.Ifc" .yval' ^ _L and u.Ifd.fval = u.H.fval ^ _L. So, the sequence 
of tasks {/ix — zval}{rand{z) zva {\{fix — bval}{rand(b) ova i} is enabled in u. After these tasks 
have been performed, u.I fc' .zval' ^ _L and u.Ifc'.bval' ^ _L. Now, since T is enabled in s, 
we know that s.TRl .inval(Rec) ^ _L and s.TRl .zval = _L. Since e\Rei, we also know that 
u.I fc' .inval(Rec) =/= _L and u.I fc' .zval = _L. So, at this point, the {/zx — zwa/fl ec } task is 
enabled. 

10. T = {fix — bvalTrans}- Consider any states s G supp(lstate(ei)) and u G suppQstatefa)) ■ Since 
T is enabled in s and e\Re2, we know that 

• s.TRl .zval ^ _L, which implies that u.Ifc .zval ^ _L, 
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• s.TRl .inval(Trans) ^ _L, which implies that u.Ifc .inval(Trans) =/= _L, 

• s.TRl Anval2{Trans) ^ _L, which implies that u.Ifc .inval2(Trans) =/= _L, 

• s.TRl .inval(Rec) ^ _L, which implies that u.Ifc .inval(Rec) =/= _L, 

• s.TRl .bval = _L, which implies that u.Ifc .bval = _l_. 

Now, we observe that, if u.Ifc .zval ^ _L, then u.Ifc .yval' ^ _L and u.Ifc .bval' ^ _L. So, all 
preconditions of the {fix — 6va^7y. a „ s }-task are verified in u. 

□ 

10.5.2 SHROT implements the SInt2 subsystem 

Fix any environment Env for both SHROT' and SInt2. We define a simulation relation R from 
SHROT'\\Env' to SInt2\\Env'. 

Let ei and 62 be discrete probability measures on finite execution fragments of SHROT'\\Env and 
SInt2\\Env , respectively, satisfying the trace distribution equivalence and state equivalence properties. 
Then we say that (ei, £2) & R if and only if all of the following hold: 

For every s G supp(lstate(ei)) and u G supp(l state^)) ■ 

1. U.TR2 .inval(Trans) = s.Ifc .inval(Trans). 

2. u.TR2 .inval2(Trans) — s.Ifc .inval2(Trans) . 

3. u.TR2.inval(Rec) = s.Ifc .inval(Rec). 

4. if s.Srctdp-chosenval = _L then u.Srctdpp-chosenval = _L. 

5. if s .Srctdp-chosenval ^ _L then u.Srctdpp-chosenval.funct = s .Srctdp-chosenval . 

6. if s.//c ./«ai 7^ _L then u.TR2.tdpp.funct = s.//c .fval. 

7. if s.Src ZV ai.chosenval = _L then u.Src yva i .chosenval = _L. 

8. if s.Src zva i .chosenval ^ _L then lstate{e2).Src yva i. chosenval is the uniform distribution on ({0, 1} — * 
0). 

9. if s.Ifc'. zval' ^ _L then u.TR2.yval ^ _L. 

10. if s.Ifc .zval = _L then u.TR2 .zval — _L else 

• u.TR2 .zval(u.TR2 .inval(Rec)) = s.//c .zval(s.Ifc .inval(Rec)) and 

• u.TR2 .zval(\ — u.TR2 .inval(Rec)) = s.//c .zwa/(l — s.//c .inval(Rec)). 

11. if s.Ifc'. bval = _L then u.TR2.bval = _L else 

• u.TR2 .bval(u.TR2 .inval(Rec)) — s.Ifc .bval(s.Ifc .inval(Rec)) and 

• u.TR2.bval(l — u.TR2 .inval(Rec)) — s.Ifc .bval{\ — s.Ifc .inval(Rec)). 

12. u.Env — s.Env . 

Lemma 10.9 TTie relation R defined above is a simulation relation from S H ROT' \\Env' to SInt2\\Env' . 
Furthermore, for each step of SHROT'\\Env' , the step correspondence yields at most one step of 
SInt2\\Env' , that is, for every S, T, \corrtasks(S,T)\ < 1. 
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Proof. Wc show that R satisfies the two conditions in Lemma 3.54. 

Start condition: It is obvious that the Dirac measures on execution fragments consisting of the unique 
start states s and u of SHROT'\\Env' and SInt2\\Env' , respectively, are i?-related. All properties of 
R hold because the state components of s and u on which R depends are all _L. 

Step condition: We define corrtasks{RS SHROTI \\ Env > x RA SHROT ,^ Env >) -> RA* SInt2 ^ Env , as follows: 
For any (S,T) <G (RS SH ROT'\\Env' x RA S hrot> \\Env')- 

• If T e {{in(x) Trans}, {out' (x) Rec }, {out" (x) Rec },{in(i) Rec },{ fix - zval Rec },{fix - bvalrrans}, 
{send(l,f)Trans},{send(2,z) Rec },{send(3,b)Trans}} then corrtasks(S,T) = {T}. 

• If T is an output or internal task of Env that is not one of the tasks listed above, then 
corrtasks(S, T) = T . 

• If T = {choose — randtdp} then corrtasks(S, T) = {choose — rand t d PP }- 

• If T = {rand(f)td P } then corrtasks(S,T) = {rand(p)tdpp} ■ 

• If T = {choose — randy Va i>} then corrtasks(S,T) = A. 

• If T = {rand(y) yva i>} then corrtasks(S,T) = X. 

• If T = {choose — rand zva i} then corrtasks(S,T) = {choose — rand yva i}- 

• If T = {rand(z) zva i} then corrtasks(S,T) = {rand(y) yva i}- 

• If T = {choose — randb va i} then corrtasks(S, T) = {choose — rand cva ii}- 

• If T = {rand(b)bvai} then corrtasks(S,T) = {rand(c) cva ii}- 

The only interesting cases in this mapping are those corresponding to the selection and to the 
transmission of s.Src yva i> -chosenval and s.Src zva i-chosenval (for any state s G supp(lstate(ei))). These 
two values are selected into two random sources in SHROT' while they are both selected into the Src yva i 
random source in SInt2. 

Since all actions of Ifc require that both these values are defined (or do not care about them), we 
manage these differences in a simple way: we do not define any task corresponding to the tasks of the 
Src yva i' source, and make the tasks of the Src zva i automata correspond. This is sufficient to be sure 
that TR2.yval ^ _L when both Ifc .yval' and Ifc .zval' have been set. 

Proving the rest of this correspondence is fairly obvious. 

□ 

10.5.3 Intl implements Int2 

Proof, (of Lemma 10.7) 

In Lemma 10.8 and 10.9, we proved that Slntl < SHOT' and SHROT' < SInt2. Furthermore, the 
corrtasks mappings we used in these proofs only increase the length of the schedules by a constant 
factor. So, we can use the soundness result of our simulation relation given in Thm. 3.85 to deduce that 
STnTl <neg, P t SHOT' and SH ROT' < n e g, P t ~SIn~t2 

Now, since SHOT' < neg ,pt SHROT' (see Lemma 8.14) and since the < n eg,pt implementation rela- 
tion is transitive (see Lemma 3.82), we obtain Slntl < ne g,pt SInt2. 

Now, by composing Slntl and SInt2 with the polynomial-time bounded task-PIOA families Adv 
and Fund, and using Lemma 3.83, we obtain: 

Funct\\Adv\\S Intl < n eg,pt Funct\\Adv\\SInt2. 

Now, coming back to the definitions of Slntl and Slntl , we observe that this is equivalent to saying 
that: 



hide {ran d(*) tdpp }u{rand(*)^ al }(Funct\\Adv\\TRl\\Srctdpp\\Src zva i) 

<neg, P t ^^ ra „ dWtdpp}u{ra „ d(sf )ztja ; }u{rand(*) cliail } {Funct\\ Adv\\ TR2 \\ Src td pp\\ Src zval || Src cva n) 
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or, in other words, Intl < n eg,pt Int2, as needed. □ 

10.6 Int2 implements SIS 

We show: 

Lemma 10.10 For every k, Int2k <o SISk- 

We prove Lemma 9.11 by choosing an arbitrary environment Env for Int2k and SISk, establishing a 
simulation relation from Int2 k\\Env to SISk\\Env, and appealing to Theorem 3.52, the soundness result 
for simulation relations. 

The only differences between Int2 and SIS are that Int2 uses TR2 and Src cva n whereas SIS uses 
TR and SrCbvali- The key difference here is that TR2 calculates the bval value for the non-selected 
index as the © of a random cvall bit and the real input bit, whereas TR chooses it randomly (using 
bvall). Either way, it's a random bit. 

We also show: 



Lemma 10.11 Int2 <neg, P t SIS. 

10.6.1 State correspondence 

Here we define the correspondence R from the states of Int2\\Env to states of SIS \\ Env, which we will 
show to be a simulation relation in Section 10.6.2. 

Let ei and e 2 be discrete probability measures on finite execution fragments of Int2 and SIS, 
respectively, satisfying the following properties: 

1. Trace distribution equivalence: tdist(e\) — tdistfa)- 

2. State equivalence: There exist state equivalence classes Si G RSi n t2\\Env an d 5*2 G RS,sis\\Env 
such that supp(lstate(ei)) C S\ and supp(lstate(e2)) C S^. 

Then we say that (ei, £2) G R if and only if all of the following hold: 

1. For every s G supp(lstate(ei)) and u G supp(lstate(e2))' 

(a) u.Funct — s.Funct. 

(b) u.Funct. inval(Trans) = s.TR2.inval2(Trans). 

(c) u.TR.inval(Trans) = S.TR2 Anval(Trans). 

(d) u.TR.inval(Rec) = s.TR2.inval{Rec). 

(e) u.TR.tdpp = s.TR2.tdpp. 

(f) u.TR.yval — s.TR2.yval. 

(g) u.TR.zval — s.TR2.zval. 

(h) If u.TR.bvall ^ _L then s.TR2.cvall ^ _L, s.TR2.inval(Trans) ^ _L, s.TR2.inval(Rec)) ^ 
_L, and u.TR.bvall = s.TR2.cvall s.TR2.inval2(Trans)(l - s.TR2.inval(Rec)). 
That is, the high-level 6uaZl value is calculated as the © of the low- level cvaU value and the 
transmitter's input bit. 

(i) u.TR.bval = s.TR2.bval. 

(j) u.Srctdpp = s.Srctdpp- 

(k) u.Srcy Va i = s.SrCy Va i. 

(1) u.Srcbvaii-chosenval = TR2.bval. 

(m) u.Adv = s.j4cfo . 

(n) u.Env = s.Env. 
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2. For every u G supp(lstate(t2))'- If u.TR.bvall = _L then one of the following holds: 

(a) For every s G supp{lstate{ei)) , s.Src cva ii-chosenval = _l_. 
That is, cwaU has not been chosen. 

(b) For every s € supp{lstate{ei)) , s.TR2.cvall — _L, and Istate(ei) projected on Src cva i\.chosenval 
is the uniform distribution on {0, 1}. 

(c) lstate(ei) projected on TR2.cvall is the uniform distribution on {0, 1}. 

10.6.2 The mapping proof 

Lemma 10.12 The relation R defined in Section 10.6.1 is a simulation relation from Int2\\Env to 
SIS\\Env. Furthermore, for each step of Int2\\Env , the step correspondence yields at most three steps 
of SIS\\Env , that is, for every S,T, \corrtasks(S,T)\ < 3. 

Proof. We prove that R satisfies the two conditions in Lemma 3.54. 

Start condition: It is obvious that the Dirac measures on execution fragments consisting of the unique 
start states s and u of Int2\\Env and SIS\\Env, respectively are _R-rclated. Property 1 holds be- 
cause the state components of s and u on which R depends are all _L. Property 2 holds because 
s.Src cva n.chosenval = _L. 

Step condition: We define corrtasks : RSi ntz \\Env x R^int2\\Env ~* R^*sis\\Env as f°ll° ws: 
For any (S,T) G RS Int2 \\Env x RA Int 2\\Env- 

• If T G {{in(x) Trans}, {in(i) R e c}, {choose- r and t dp P } , {rand t d PP }, {choose-rand zva i} , {rand zvai }, 
{send(l,f) Trans}, {receive(l,f) Rec }, {send(2, z) Rec }, {receive(2, z) Tr ans}, {send(3, b) T rans}, {receive(3, b) Rec }, 
or {out(x) Rec}} , then corrtasks(S,T) = T. 

• If T is an output or internal task of Env or Adv that is not one of the tasks listed above, then 
corrtasks(S,T) = T. 

• If T G {{choose — rand cva n}, {rand cva n}} then 
corrtasks(S,T) = X. 

• If T = {fix — bval Trans} then 

corrtasks(S,T) — {choose — randbvaii} {rand ova ii {fix — bvalTrans}- 

Suppose (£1,62) G R and T is a task of Int2\\Env that is enabled in supp{lstate{ei)). Let e[ = 
apply(ei,T) and e' 2 = apply (e2,corrtasks([lstate(ei)],T)). 

We establish the step condition by considering cases based on the value of T. The proof follows the 
same outline as for Lemma 9.7. 

1. T= {in(x) Trans}- 

Task T is output from Env to both Fund and TR2 in the Int2 system, and from Env to Fund 
in the SIS system. 

Since T is an output task of Env, Claim 2 implies that T is enabled in every state in supp(lstate(t2)) , 
that there is a unique action a G T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e2)), 
and that there is a unique transition trEnv = {lEnv, a , I^Env) of Env from qEnv with action a. Here, 
a = in{x) Trans for a particular value of x. 

Next, we define the probability measures needed to show the step correspondence. Suppose that 
supp(/iEnv) is the set {qj : j G 1} of states of Env, where / is a countable index set. Let p be 
the probability measure on the index set / such that, for each j G /, p(j) = HEnv(<lj)- For each 
j G /, we define probability measure d x ■ as follows. The support supp{e' 1 ,) is the set of execution 
fragments a G supp{e' l ) such that lstate(a).Env = qj. For each a G supp{e' l A of the form a' a qj, 
let ej--(a) = ei(a'). We define eL analogously from e' 2 . 
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Now fix j E I; we show that (e^ , e' 2 j) G R. To do this, we establish Properties 1 and 2 of R for 
e'j ■ and eL-, an d show trace distribution equivalence for e^ ■ and e(, . 

To establish Property 1, consider any states s' G supp(lstate(eiA) and u' G supp(lstate(e 2 A) . Let 
s be any state in supp(lstate(e\)) such that s' G supp(fi s ) where (3,(1,113) G -D/ n t2 llSm;- Similarly, 
let u be any state in supp(lstate(e 2 )) such that u' e supp([i u ), where (u,a,[i u ) G I?s/S||Snu- 

If s.TR2 .inval2(Trans) ^ _L then by Properties 1(a) and 1(b), u.Fund.inval(Trans) ^ _L and 
s.Fund.inval(Trans) ^ _L. In this case, task T has no effect on any component other than Env, 
in either system. Since s' .Env = q,j = v! .Env by definition, it is easy to see that Property 1 holds 
for s' and v! . 

Now suppose that s.TR2.inval2(Trans) = _L. Then again by Properties 1(a) and 1(b), u.Fund.inval(Trans) 
s . Fund .inval(Trans) — _L. Then by the definitions of Int2 and SIS, we know that application of 
T updates TR2 .inval2( Trans) and Fund .inval(Trans) in Int2, and Funct.inval (Trans) in SIS. 
It also updates the state of Env to qj in both systems. 

We know by Property 1(a) that u.Funct = s.Funct, by Property 1(b) that u. Funct.inval (Trans) = 
s.TR2 .inval2(Trans), and by l(n) that u.Env = s.Env. By the effects of T in definitions of Fund 
and TR2, we know that v! .Fund — s' .Fund and v! .Fund. inval (Trans) = s' .TR2 .inval2(Trans); 
hence, Properties 1(a) and 1(b) hold for s' and v! . We also know that l(n) holds for s' and v! by 
definition of e\ • and eL: in both s' and v! ', the state of -Eni> is (7^. Since no state component other 
than TR2.inval2, Fund.inval(Trans), and Env in the TRtwo system, and Fund.inval(Trans) 
and Env in the SIS system, is updated by the application of T, we conclude that Property 1 
holds for s' and u' , and hence, for e' x and e' 2 - 

The proof of Property 2 is analogous to the corresponding proof in Lemma 9.13. 

The fact that idisi(e' 1? ) = tdist(e' 2 j) follows from the fact that tdist(ei) = tdist(e 2 ) and the 
definitions of e' 1? - and eL. 

2. T = {in(i) Rec }. 

Task T is output from Env to Fund, Adv and 77?!? in the Int2 system, and from Env to Fund, 
Adv and 77? in the SIS system. 

Since T is an output task of Env, Claim 2 implies that T is enabled in every state in supp(lstate(e 2 )) , 
that there is a unique action a G T that is enabled in every state in supp(lstate(ei))Usupp(lstate(e 2 )), 
and that there is a unique transition trg„„ = (qEnv,a, j^Env) of -Era; from qEnv with action a. Here, 
a = in(i)n ec for a particular value of i. 

The rest of the proof for this case follows the proof for T = {in(x) Trans} ■ The only difference 
is that, in showing that Property 1 holds for e^ and e 2 -, for a fixed j, we use the fact that 
application of T affects only Fund.inval(Rec), Env, the "new" state components of Adv , and 
TR2 .inval (Rec) in the Int2 system, and Fund.inval(Rec), Env, the "new" state components of 
Adv , and TR.inval(Rec) in the SIS system. We use Properties 1(a), 1(d), l(m), and l(n). 

The fact that tdist(e[A = tdist(e' 2 A follows from the fact that tdist(ei) = tdist(e 2 ) and the 
definitions of e' l7 - and eL. 

3. T = {choose — randtdpp}- 

Identical to the corresponding case in the proof of Lemma 10.6, using Property l(j). 

4. T = {rand(p) tdpp }. 

Identical to the corresponding case in the proof of Lemma 10.6, using Properties 1(e) and l(j). 

5. T = {choose — rand yva {\. 

Identical to the corresponding proof case in the proof of Lemma 10.6, using Property l(k). 



107 

Preliminary version - August 19, 2005 



6. T = {rand(y) yva i}. 

Enabling is shown by using l(k) and the resulting distributions are related by using 1(f). 

7. T = {choose — rand cva n} ■ 

We know that for all states in supp(lstate(e\)), cvall has not yet been chosen. That is, Src cva ii-chosenval = 
_L. Now, applying T to e\ gives e' x such that ei.Src cva ii-chosenval is the uniform distribution on 
{0, 1}. Since applying A yields e' 2 — e 2 , we can use 2(b) to show that (e' l7 e 2 ) E R. 

8. T = {rand(*) cva ii}. 

We know that for all states in supp(lstate(ei)) , cvall has already been chosen. That is, Src cva n.chosenval ^ 
_L. Let e'i = apply ((,e)i,T). We know that all states in supp(lstate(e' 1 )), TR2. cvall ^ _L and 
lstate(e' 1 ).Src cva n is the uniform distribution on {0, 1}. Applying A yields e' 2 = e 2 . 

Let p be the Dirac measure on the singleton index set {1}. Then, the only interesting part of the 
proof is showing that (e[, e' 2 ) E R. To show this, we use Property 2(b) of R. 

9. T = {out'(x) Rec }. 

T is output from Fund to TR2 in the Int2 system and from Fund to TR in the SIS system. 

We show the enabling of {out 1 ' (x) R ec } in all states in supp(l statefa)) by using Property 1(a). To 
see that (e' l7 e 2 ) E R, we use Property 1(c). 

10. T = {.fix — zvalR ec }. 

The fact that T is enabled in all states in supp(l state^)) follows from Properties 1(f), 1(d), 1(c) 
and 1(g). To see that (e'i,e 2 ) E R, we use Property 1(g). This is straightforward because zval is 
computed in the same way in TR2 and TR. 

11. T = {.fix - bval Trans }. 

Here, a deterministic step in the Int2 system maps to a random choice followed by two determin- 
istic steps in the SIS system. 

We first show that the sequence of tasks {choose — randb va ii} {rand(b)bvali} {fix — bvalTrans} is 
enabled in supp{lstate{e 2 )). 

Since T is enabled in every state sin supp(lstate(e 2 )), we know that s.TR2.yval, S.TR2. cvall, 
s.TRtwo.inval (Trans), s.TR2.inval2(Trans), and s.TR2.inval(Rec) ^ _L, and s.TR2.bval = _L 
in every state s G supp(lstate(ei)). Then by Property 1, we know that u.TR.yval ^ _L (by 1(f)), 
u.TR.inval(Trans) ^ _L (by 1(c)), u.TR.inval(Rec) ^ _L (by 1(d)), and u.TR.bval = _L (by l(i)). 
Then by Property l(k), we know that u. Srcbvaii-chosenval = _L. Therefore, {choose — randbvaii} 
is enabled from all states in supp(lstate(e 2 )) . 

Let e 2 = apply (e 2 , {choose — randbvaii})- Clearly, {rand(*)b V aii} is enabled from all states in 
supp(lstate(e 2 )). 

Let e' 2 — apply(e 2 , {randbvaii})- Then we claim that {fix — bvalTrans} is enabled from all states 
in supp(e' 2 ). Let u"' e supp(e' 2 ). Then by the effects of the first two tasks in the sequence, we see 
that u".TR.yval ^ _L, u" .TR.inval(Trans) ^ _L, u" .TR.inval(Rec) ^ _L, and u" .TR.bval = _L. 
Also, by the effects of {rand(b)b va ii}, we have that u" .TR.bvall ^ _L. Since these are all the 
preconditions for fix — bvalTrans in TR, we have that {fix — bvalTrans} is enabled from u"', as 
needed. 

To see that (e' l7 e 2 ) E R, we use Property 1(h). 

12. T={out"(x) Rec }. 

T is output from TR2 to Adv' in the Int2 system and from TR to Adv' in the SIS system. 
Enabling follows from 1(c) and we can show that d x and e' 2 are related by using l(m). 
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13. T= {send(l, f) Trans}- 

Identical to the corresponding case in the proof of Lemma 10.6, except that here we replace Trans 
with TR2 and TR1 with TR and use Properties 1(e) and l(m). 

14. T={send{2,z) Rec }. 

Identical to the corresponding case in the proof of Lemma 10.6, except that here we replace Rec 
with TR2 and TR1 with TR, and use Property 1(g). 

15. T = {send(3,b) Trans }. 

Identical to the corresponding case in the proof of Lemma 10.6, except that here we replace Trans 
with TR2 and TR1 with TR, and use Property l(i). 

16. T = {receive(l,f) Rec }. 

Identical to the corresponding case in the proof of Lemma 10.6, except that here we replace Rec 
with TR2. In showing Property 1, we use the fact that applying T has no effect in cither system. 

17. T = {receive(2,z) Trans }. 

Identical to the corresponding case in the proof of Lemma 10.6, except that here we replace Trans 
with TR2. In showing Property 1, we use the fact that applying T has no effect in either system. 

18. T — {receive(3,b) Rec }. 

Identical to the corresponding case in the proof of Lemma 10.6, except that here we replace Rec 
with TR2. In showing Property 1, we use the fact that applying T has no effect in cither system. 

19. T = {out(x) Rec }. 

This is output from from Adv' to Env in both systems. We use Claim 2 to show enabling. The only 
interesting aspect of this proof is that Env may make a probabilistic choice on the application 
of T. The step correspondence can be shown by decomposing the distributions generated by 
application of T as in the case for T = {in(x) Trans} ■ 

20. T is an output task of Env and an input task of Adv. 
Identical to the corresponding case in the proof of Lemma 10.6. 

21. T is an output task of Env that is not an input task of Adv, Fund, or TR2, or T is an internal 
task of Env. 

Identical to the corresponding case in the proof of Lemma 10.6. 

22. T is an output task of Adv and an input task of Env. 
Identical to the corresponding case in the proof of Lemma 10.6. 

23. T is an output task of Adv that is not an input task of Env, Fund, or TR2, and is not a receive 
task, or else T is an internal task of Adv . 

Identical to the corresponding case in the proof of Lemma 10.6. 

□ 

Proof. (Of Lemma 10.10:) 

By Lemma 10.12, R is a simulation relation from Int2k\\Env to SISk\\Env. Then Theorem 3.52 im- 
plies that tdists(Int2 k\\Env) C tdists(SIS t\\Env) . Since Env was chosen arbitrarily, this implies (by 
definition of <q) that RSk <o Intl k- n 

Proof. (Of Lemma 10.11:) 

By Lemma 10.12, R is a simulation relation from Int2 k\\Env to SISk\\Env for which \corrtasks(S, T)\ < 

3 for every S and T. Since that lemma holds for every k and every Env, Theorem 3.85 implies that 

Tnt2 <neg.pt SIS. □ 
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10.7 Putting the pieces together 

Proof. (of Theorem 10.1): 

Lemmas 10.5, 10.7, and 10.11, and transitivity of < ne g. P ti imply that RS < n eg,pt SIS. Since the 

simulator SSirrik satisfies the constraints for a simulator in Figure 2, this implies that RS < n eg,pt IS. 

a 
11 Correctness Proof, Case 3: Transmitter Corrupted 

Next, we consider the case where only the transmitter is corrupted. We prove the following theorem: 

Theorem 11.1 Let RS be a real-system family for (D, Tdp, C), C — { Trans}, in which the family Adv 
of adversary automata is polynomial-time-bounded. 

Then there exists an ideal-system family IS for C = {Trans}, in which the family Sim is polynomial- 
time-bounded, and such that RS < ne g,pt IS. 

Again, we drop explicit mention of C. Again, we express each Sim k as a composition of automata, and 
show that RS , the real-system family, implements the (new) structured-idcal-systcm family SIS. This 
time, we do not need intermediate levels, because we do not need a Distinguishcr argument. 

11.1 Simulator structure 

For each k, we define a structured simulator SSim k , as the composition of five task-PIOAs: 

• Trans (D k ,Tdp k ), as in RS k . 

• (Src(Tdppk)td PP )k, isomorphic to Src(Tdpp k ). 

• (SVc({0, 1} — ► D k ) zva i) k , isomorphic to Src({0, 1} — ► D k ) 

• (RecSim(D k )) k , an abstract version of Rec. 

• Adv k , as in RS k . 

Trans is connected to Adv as in the real system. RecSim has send outputs that are inputs to Adv, but 
has no receive inputs. Adv also has in{x) Trans inputs, which come from Env. The outputs of Srctdpp 
go both to Trans and to Adv. The outputs of Src zva i go to RecSim only. 

RecSim(D) is defined in Figure 18. It simply chooses a pair of D values at random and sends it in 
round 2 messages. 

We define SIS k , the structured ideal system, to be Funct k \\SSim k . We show: 

Lemma 11.2 For every k, RS k <o SIS k . 



Lemma 11.3 RS < ne g.pt Intl . 

In the rest of this subsection, we fix Env, an environment for RS k and SIS k - We suppress mention 
of k. 

11.2 State correspondence 

Here we define the correspondence R from states of RS\\Env to states of SIS \\ Env, which we will show 
to be a simulation relation in Section 11.3. 

Let ei and e 2 be discrete probability measures on finite execution fragments of RS\\Env and SIS \\ Env, 
respectively, satisfying the following properties: 

1. Trace distribution equivalence: tdist(e\) = tdist(c2). 
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RecSim(D), where C = {T}: 
Signature: 

Input: Output: 

rand(z) zval ,ze ({0, 1} -> D) send(2, z) Rec , ze ({0, 1} -> D) 

State: 

zuai e ({0, 1} -> D) U {_L}, initially ± 

Transitions: 

ranii(z) z „ al send(2, z) Rec 

Effect: Precondition: 

if zval = -L then zvai := z z = zval ^ _L 

Effect: 
none 

Tasks: {ranc!(*)2„ a (}, {send(2,*) Rec }. 

State relation: qi and q^ arc related iff: 
qi.zval = _L iff qi.zval = _L. 

Figure 18: Code for RecSim(D), where C = {T}. 

2. State equivalence: There exists state equivalence classes S\ G RSjis\\Env an d 5*2 € RSinti II £rro 
such that supp(lstate(ei)) C 5*i and supp(lstate{e2)) C 52- 

Then we say that (ei, £2) G i? if and only if all of the following hold: 

1. For every s G supp{lstate{e\)) and u G supp(lstate(e2))'- 

(a) u.Funct.inval(Trans) = s. Trans. inval. 

(b) u.Funct Anval{Rec) = s.Rec.inval. 

(c) u. Trans = s. Trans. 

(d) u.Srctdpp = s.Srctdpp- 

(e) u.RecSim.zval — s.Rec.zval. 

(f) u.Src zva i.chosenval = s.Rec.zval. 

(g) u.Adv = s.Adv. 
(h) u.Env = s.Env. 

2. For every w G supp(l statefa)): 

If u.RecSim.zval = _l_ then one of the following holds: 

(a) For every s G supp(lstate(ei)) , s.Src yva i.chosenval = _L. 

(b) For every s G supp{lstate{e\)), s.Rec.yval — _l_, and lstate(ei).Src yva i.chosenval is the 
uniform distribution on ({0, 1} — ► -D). 

(c) Istate(ei) . Rec.yval is the uniform distribution on ({0, 1} — ► -D). 
11.3 The mapping proof 

Lemma 11.4 The relation R defined in Section 11.2 is a simulation relation from RS\\Env to SIS\\Env. 
Furthermore, for each step of RS\\Env, the step correspondence yields at most two steps of SIS\\Env, 
that is, for every S,T, \corrtasks(S,T)\ < 2. 
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Proof. We prove that R satisfies the two conditions in Lemma 3.54. The start condition is shown as in 
the previous proofs. For the step condition, we define corrtasks{RS rs\\Euv x RAns\\Env) - > ^-^*sis\\Env 
as follows: 
For any (S,T) e (RS RS \\ Env x RA RS \\ Env ): 

• If T is any task of RS\\Env except for {choose — rand yva i} , {rand yva i}, or {fix — zvaln ec }, 
then corrtasks(S, T) = T. 

• If T e {{choose - randyvai}, {rand yva i}, 
then corrtasks(S, T) = A. 

• If T = {fix — zvalnec} then corrtasks(S,T) — {choose — rand zva {\ {rand zva i}. 

Thus, each task of RS\\Env that is locally-controlled by a common component (Trans, Adv, Srctdpp, 
or Env) is replicated in SIS\\Env. For the locally-controlled tasks of Rec, there are three cases: 
{send(2, *)n ec }, {fix — zval R ec } , and {out(*)n ec }. We map {send(2, *)^ ec } to the same task of RecSim, 
{fix — zvaln ec } to the two tasks of Src zva i, choose — rand zva i followed by rand(*) zva i, and {out(*) R ec } 
to the same task of Fund. Finally, we map the locally-controlled tasks of Src yva i to A. 

All parts of the correspondence: enabling, preservation of Property 1, state equivalence, and trace 
distribution equivalence, are straightforward. □ 

Proof. (Of Lemma 11.2:) 

By Lemma 11.4, R is a simulation relation from RSk\\Env to SISk\\Env. Then Theorem 3.52 implies 
that tdists(RS k\\Env) C tdists(SIS k\\Env) . Since Env was chosen arbitrarily, this implies (by definition 
of < ) that RS k < SIS k . □ 

Proof. (Of Lemma 11.3:) 

By Lemma 11.4, R is a simulation relation from RSk\\Env to SISk\\Env for which \corrtasks(S, T)\ < 2 

for every S and T. Since that lemma holds for every k and every Env, Theorem 3.85 implies that 

RS <neg,pt SIS. □ 

11.4 Putting the pieces together 

Proof, (of Theorem 11.1): 

Lemma 11.3 implies that RS < ne g.pt SIS. Since the simulator SSirrik satisfies the constraints for a 

simulator in Figure 2, this implies that RS < ne g.pt IS ■ □ 

12 Correctness Proof, Case 4: Both Parties Corrupted 

Theorem 12.1 Let RS be a real-system family for (D, Tdp, C) , C = { Trans, Rec}, in which the family 
Adv of adversary automata is polynomial-time-bounded. 

Then there exists an ideal-system family IS for C — { Trans, Rec}, in which the family Sim is polynomial- 
time-bounded, and such that RS < ne g,pt IS. 

In this case, the simulator knows everything, and so it can just play the protocol naturally, without 
interacting with Fund. This proof does not need any intermediate levels. 

12.1 Simulator structure 

For each k, we define a structured simulator SSirrik to be the same as the system RS. Thus, the 
components are: 

1. Trans(D k ,Tdp k ). 

2. Rec(Dk,Tdpk, {Trans, Rec}), with out'(x)n ec renamed to out"{x)n ec . 
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3. Src({0,l} -> D k ) yva i. 

4. Src(Tdpp k )tdpp- 

5. Adv^D^jTclpk, {Trans, Rec}). 

Env provides in(x) Trans to Fund, Trans, and j4cfo, and in(i)n ec outputs to Fund, Rec, and Adv. Env 
receives out(x)n ec outputs from Adv, which are copies of out" \x) Rec outputs from Rec to Adv. The 
outputs of Srctdpp go both to Trans and to Adv, and the outputs of Src yva i go both to Rec and to Adv. 

Lemma 12.2 For every k, RSk <o SlSk- 

Lemma 12.3 Int2 < neg ,pt SIS. 

In the rest of this subsection, we fix Env, an environment for RSk and SlSk- And we suppress 
mention of k. 

12.2 State correspondence 

Here we define the correspondence R from states of RS\\Env to states of SIS \\ Env, which we will show 
to be a simulation relation in Section 12.3. The state correspondence is essentially the identity. More 
accurately, we don't care about the state of Fund, but we require the identity mapping for the states 
of all the other components of SIS. 

Let ei and e-i be discrete probability measures on finite execution fragments of RS \ \ Env and SIS \ \ Env , 
respectively, satisfying the following properties: 

1. Trace distribution equivalence: tdist(ei) = tdist(e 2 ). 

2. State equivalence: There exists state equivalence classes Si € RS R s\\Env an d 5*2 € RSintittEnv 
such that supp{lstate{ei)) C S\ and supp(lstate(e2)) Q 5 2 - 

Then we say that (ei, e 2 ) G i? if and only if all of the following hold: 

1. For every s G supp(lstate(ei)) and u G supp(/state(e 2 )): 

(a) u. Trans = s. Trans. 

(b) u.Rec — s.Rec. 

(c) u.Srctdpp = s.Srctdpp- 

(d) u.SrCy Va i = s.SrCy V ai- 

(e) u.Adv = s.Adv. 

(f) u.Env = s.Env. 

12.3 The mapping proof 

Lemma 12.4 The relation R defined in Section 12.2 is a simulation relation from RS\\Env to SIS\\Env . 
Furthermore, for each step of RS\\Env , the step correspondence yields at most one step of SIS\\Env, 
that is, for every S,T, \corrtasks(S,T)\ < 1. 

Proof. We prove that R satisfies the two conditions in Lemma 3.54. The start condition is shown as in 
the previous proofs. For the step condition, we define corrtasks(RS 'rs\\Euv x RAps\\Env) ~^ ^^sisWEnv 
as follows: 
For any (S,T) € (RS R s\\Env x RA RS \\Env)- 

• If T is any task of RS\\Env except for {out' \x) R ec } , then corrtasks(S,T) = T. 

• If T = {out 1 (x) R ec \ , then corrtasks(S,T) = {out" (x) R ec } . 
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Thus, the step correspondence is essentially the identity. Note that none of the corrtasks sequences 
includes any output or internal tasks of Fund; thus, Fund docs not perform any locally-controlled 
steps in any of the executions that are obtained from the simulation relation. 

All parts of the correspondence: enabling, preservation of Property 1, state equivalence, and trace 
distribution equivalence, are immediate. 

□ 

Proof. (Of Lemma 12.2:) 

By Lemma 12.4, R is a simulation relation from RSk\\Env to SISk\\Env. Then Theorem 3.52 implies 
that tdists(RS k\\Env) C tdists(SIS k\\Env) . Since Env was chosen arbitrarily, this implies (by definition 
of < ) that RS k < SIS k . □ 

Proof. (Of Lemma 12.3:) 

By Lemma 12.4, R is a simulation relation from RSk\\Env to SISk\\Env for which \cordasks(S, T)\ < 1 

for every S and T. Since that lemma holds for every k and every Env, Theorem 3.85 implies that 

RS <neg,pt SIS . □ 

12.4 Putting the pieces together 

Proof, (of Theorem 12.1): 

Lemma 12.3 implies that RS < ne g.pt SIS. Since the simulator SSim^ satisfies the constraints for a 

simulator in Figure 2, this implies that RS < neg ,pt IS. □ 

13 Conclusions 

Summary. In this paper, we have provided a complete model and correctness proof for a simple 
Oblivious Transfer protocol [gmw87], using Probabilistic I/O Automata (PIOAs) [sl95]. This involved 
modeling the protocol as a system of interacting PIOAs, and the properties that the protocol is intended 
to satisfy as another such system, and proving a formal correspondence between these two system 
models. We have considered four cases, based on which parties (transmitter and/or receiver) are 
corrupted. In all cases we have considered, the adversary is essentially an eavesdropper, not an active 
malicious participant. 

The algorithm uses cryptographic primitives — specifically, a trap-door permutation and a hard-core 
predicate for its inverse. We have modeled the computational properties of these primitives in terms 
of PIOAs. The properties we have considered include both correctness of the output produced at the 
receiver end of the protocol, and secrecy of inputs and random choices of non-corrupted parties. 

Following the usual proof methods for distributed algorithms, we have decomposed our proofs into 
several stages, with general transitivity results used to combine the results of the stages. A feature 
of our proofs is that complicated reasoning about particular cryptographic primitives — in this case, a 
hard-core predicate — is isolated to a single stage of each proof. 

Producing this proof required us to develop two new kinds of theory: First, we extended traditional 
PIOA theory in two ways: 

• We defined a new notion of tasks, which provide a mechanism to resolve nondctcrministic choices. 

• We defined a new kind of simulation relation, which corresponds probability distributions on 
states at two levels of abstraction, and which allows splitting of distributions in order to show 
that individual steps preserve the correspondence. 

Second, we developed a new theory for time-bounded PIOAs, specifically: 

• We defined time-bounded PIOAs, which impose time bounds on the individual steps of the PIOAs. 
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• We defined a new approximate, time-bounded, implementation relationship between time-bounded 
PIOAs, which is sufficient to capture the typical relationships between cryptographic primitives 
and the abstractions they are supposed to implement. 

In the multi-stage proofs, most of the stages represent exact (not approximate) implementations; 
we prove all these using standard PIOA theory, extended with our new simulation relation. The 
techniques for showing this are fairly standard in the distributed algorithms research literature, based 
on proving invariants and simulations by induction on the number of steps in an execution. The 
remaining stages involve replacement of a cryptographic primitive with a random counterpart; we 
prove that these satisfy our approximate implementation relationship. The techniques for showing 
this are based on recasting the definitions of the cryptographic primitives in terms of approximate 
implementation relationships, and then combining these primitives with other components in various 
ways that preserve the implementation relationships. Transitivity results allow us to combine all the 
implementation relationships proved at all the stages to obtain an overall approximate implementation 
relationship between the Oblivious Transfer algorithm and its property specification. 

Evaluation. We believe that these methods provide a usable, scalable structure for carrying out 
complete, rigorous proofs of security protocols, assuming standard definitions for the cryptographic 
primitives that they use. The example illustrates how such proofs can be carefully broken down into 
manageable pieces, each piece proving a particular collection of facts. Various pieces use very different 
kinds of reasoning. Thus, typical "Distinguisher" arguments about cryptographic primitives (expressed 
in terms of implementation relationships) are isolated to certain stages of the proofs, whereas other 
stages use inductive, asscrtional methods. 

Traditional formal reasoning about security protocols combines with this work as follows: We can 
model a system in which we use only abstract specifications for crypto primitives — for example, a 
system that uses OT as a building block. We can prove correctness of that system relative to the OT 
specification, using our simulation relation methods, or other methods such as model-checking. Then, 
we can "plug in" an OT implementation that implements the specification approximately (according 
to our approximate, time-bounded implementation relationship). Our general results about how this 
relationship is preserved with respect to composition imply that the resulting system approximately 
implements the system that has already been proved correct. 

Future work. In this paper, the task scheduler is limited to be oblivious. It would be interesting to 
allow the task scheduler more power, by allowing it to be a function from some aspects of the previous 
history to the next scheduled task. The oblivious scheduler can be formulated cquivalently in this 
way, where the available history information is just the sequence of past tasks. However, we would 
like to allow the scheduler more information, for instance, the actual states of adversarial components 
(like Adv) in between all the tasks. Making an extension of this kind will require rather deep changes 
throughout our work, all the way bace to the basic theory of task-PIOAs, in Section 3. 

We plan to test the power of these techniques by applying them to more security protocols, including 
protocols that use different cryptographic primitives, and protocols that have more powerful adversaries 
(active rather than passive; adaptive). A good example is a simple key exchange protocol that uses a 
basic signature scheme, and that is intended to work against an active adversary. We would also like 
to consider Oblivious Transfer protocols in the presence of more powerful adversaries. 

We will explore reasoning about more complicated protocols, which involve composition of many 
sub-protocols (e.g., multiple instances of Oblivious Transfer, or a combination of key distribution and 
secret communication); the idea is to try to use our techniques on the pieces and combine them using 
our general composition results. 

Some interesting security protocols do not use any cryptographic primitives, for example, protocols 
that achieve perfect zero-knowledge [gmr89]. For these, our basic PIOA techniques should work, 
without any need for reasoning about approximate implementations. We will consider basic zero- 
knowledge protocols, for example, for graph isomorphism. 
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We would like to use the general methods presented here to model other cryptographic primitives, 
and to capture the ways in which they can be combined and used in protocols. This will involve 
restating the definitions of those primitives in terms of approximate implementation relationships with 
respect to more abstract PIOAs. Expressing these primitives in this way should enable reformulating 
traditional Distinguishcr arguments (which proceed by contradiction) as (positive) arguments about 
approximate implementation. After reformulating these primitives, it remains to analyze protocols that 
use the primitives, using our mapping techniques. 

A Component Interaction Diagrams 

The figures that appear in this section show how the system components are connected in each of the 
four cases we consider. The arrows that have no labels represent the actions in InE^OutE- The action 
names send(m) Trans, receive(m) Trans, send(m)R ec and receive(m) R ec are abbreviated to, respectively, 
s(rn)Trans, t (m) Trans , s(m) R ec and r(m) R ec - In these figures, we abbreviate subscript Trans by just T 
and subscript Rec by just R. 
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out{x)n 




Figure 19: SIS(tt) 




Figure 20: RS(9) 
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out{x)n 




Figure 21: Trail where neither party is corrupted 



in(i) 



out'(x)n 




Figure 22: SIS({R}) 
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in(i) 




Figure 23: Intl where only the Recciccr is corrupted 




Figure 24: RS({R}) 
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out{x)n 




Figure 25: SIS({T}) 




Figure 26: RS({T}) 
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Figure 27: SIS({T,R}) 




rand(y) 



Figure 28: RS({T, R}) 
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